Hello ‘123456,’ my old friend, I’ve come to talk with you again

Hear me, Ebenezer Everybody! Tonight you shall be visited by three spirits. The ghosts of the passwords you’ve used on your email account, your online bank account, your Twitter account, your Instagram account, your… OK, scratch that, you’ll be visited by at least 100 truly terrible password ghosts.

Their breath is foul, because some of us have reused them until they’ve begun to compost – an odor that attracts swarms of hackers who’ll use them to try to get into not just one breached account, but ALL of your accounts while they’re at it.

They’re spirits, because wow, these things are old. Seriously, are we seeing you again, “123456?”

Yes, we are.

Once again, it’s end-of-the-year, worst-passwords listicle time, and once again, “123456” reins supreme as the king of bad passwords on SplashData’s annual worst password list.

Just like it did last year. And in every year since 2013, when it knocked “password” from its number one spot.

Last year, SplashData evaluated more than five million leaked passwords to see how often they showed up. Since 2011, it’s been publishing the list based on millions of passwords leaked in data breaches. SplashData didn’t actually say how many breached passwords they analyzed for this year’s list, which it published in two sets of 50: here’s the worst 1-49, and here’s the worst 50-100.

Last year, tired of nagging users about using these clunkers, I instead took websites to task. Users are clearly never going to stop using “123456,” “123456789,” “qwerty” or “password” – 2019’s top four most commonly breached passwords – so how about if websites and services simply stop allowing users to choose passwords that are on the list of worst passwords?

Sites and services could do even more, we suggested – they could, say, disallow creation of any of the 10,000 worst passwords. Or maybe use rate limiting, which gives even the weakest password a serious upgrade. Limiting the number of times a user can try a wrong password means that attacks take a long time. Attackers have to be far more circumspect about how many guesses they make: as we noted, all you have to do is ask the FBI about how inconvenient, or impossible, it can make the task of forcing your way in past an unknown login.

Clearly, there’s still work to be done. Bad passwords are still being cooked up, and reused, though they don’t have to be. If you’d like a short, easy way to pick a proper password, you can watch our video:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), by all means, turn it on. It will protect you even if you use something like a) “banana” (#97 on this year’s listicle), b) “whatever” (#58), or c) “cookie” (#95).

Maybe SplashData is tired of nagging users, too. Maybe that’s why it released the listicle without a lot of verbiage. Instead, it compiled a video full of imagery, including a) a kid dancing with a banana, b) comedian Mindy Kaling slapping her forehead, c) a bunny stealing a baby’s cookie.

Its pure, simple advice:

Don’t catch your passwords on this list …

Our own pure, simple commentary, based on this joyous season’s not-so-joyous password predictability:

Deck the halls with password failure,
fail fail fail fail fail, fail fail, fail, fail!

Here’s hoping the new year brings us all good health, fewer breaches, and passwords that are as unique as snowflakes!