Operations // Identity & Access Management
1/20/2015
04:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'123456' & 'Password' Are The 2 Most Common Passwords, Again

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

"123456" and "password" continue to be the two most common passwords found on the Internet, thus reining SplashData's annual "Worst Password List" for the fourth year in a row. New entrants to the top 25 this year show that bad password creators are fans of sports, superheroes, dragons, and not-safe-for-work numeral combinations.

This is the fourth year SplashData has identified the most popular passwords by compiling sets of credentials leaked online. This year's study looked at more than 3.3 million leaked passwords, mostly from users in North America and Western Europe. 

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years,” said Mark Burnett, author of “Perfect Passwords,” who worked with SplashData on this year's study.

“The good news," says Burnett, "is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

Nine of the top twenty-five most common passwords were all numerals, and fourteen of them were all lowercase letters. The other two were a combination of lowercase letters and numerals ("abc123" and "trustno1").

Not a single capital letter or special character made the cut. Most of the common passwords were no more than six characters long. Nine of the top 25 choices were simply dictionary words. All this shows that few places are enforcing any kind of strong password policy.

New to the top 25 were "baseball" and "football." Other lowercase sports and sports teams were found in the top 100. For the more whimsical security-unsavvy users, "dragon," "superman," and "batman" jumped into the top 25 also.

In addition to "password," which ranked second, users were fond of "letmein," "trustno1," and "access," which is new to the list.

No swear words made it into the top 25, but SplashData says they remain popular. The password "iloveyou," which was in the top 25 last year, has fallen off the list entirely, "696969" has taken its place.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/21/2015 | 10:23:57 AM
System Administrators and Policy Configurations
I think options are the worst part of creating a password. UserID's and passwords are in nature restrictive. Restrictive to the assets and information they provide to the owner. I think responsibility of password complexity needs to shift to site and system administrators as well as any person who is responsible for password configuration policies. This restrictive nature needs to be encompassed throughout the password policy. It's a widely regarded human nature to try and take the quickest, easiest route possible. But if the easiest route possible is a complex password than the user has no other option then to be compliant and try to be secure.


Policy Configuration factors: length, alphanumeric & special character, password life, and password retention (not using the same password until a certain amount of new passwords have been derived), etc.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2015 | 8:30:06 AM
Re: Blame the networking vendor amongst the other things
That's outrageuos @tompiotrowski. Thanks for pointing out that end users aren't the only one culpable in nor taking basic security best practices seriously enough.
tompiotrowski
100%
0%
tompiotrowski,
User Rank: Apprentice
1/20/2015 | 11:00:40 PM
Blame the networking vendor amongst the other things
Have you ever purchased simple or complex networking device?  Switch, router, DSL gateway etc?  Cisco, D-Link, Belkin, just to name few are supplying the products with a rather "sophisticated" administrator logins:  ADMIN and PASSWORD.  Whilst the end users cannot be cleared from responsibility of keeping their accounts secure, the "examples" set by industry leaders are equally to blame.   
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.