Endpoint //

Authentication

1/23/2017
03:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

'123456' Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

It may be a ho-hum fact for many longtime security practitioners, but it nevertheless remains a fact that most users' password hygiene stinks. And since the needle on this matter moves about as much as a speedometer needle on an engineless car, the topic clearly bears revisiting. This time the reexamination of poorly chosen password comes by a recent report by SplashData on the worst passwords of 2016.

The team at SplashData took a look a look at more than five million passwords that were stolen from enterprises and leaked to the public last year to get a feel for the types of authentication secrets people use in real world. The results aren't pretty. According to the firm, the most common passwords are also ridiculously insecure - both from a prevalence and ease of guessing standpoint.

Tops on the list was "123456," which makes up about 4% of the sample set, followed closely by "password." In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

 

Also troubling is that the list is littered with many more trivial variations of the top two offenders, with six sequential number variations and three variations of "password."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," says Morgan Slain, CEO of SplashData, Inc.

In fact, 2016 also offered up the perfect anecdotal evidence to show the dangers of crummy passwords: the Democratic National Committee (DNC) hack was laid partially at the feet of a negligently chosen password. WikiLeaks' Julian Assange claims that John Podesta, chairperson of Hillary Clinton's 2016 campaign, used a "password" variant for one of his systems, and other reports show that Podesta used a slightly more sophisticated but still easily hacked "Runner4567" for several others. 

It was that second gaffe that allowed attackers to take over multiple online accounts in a fell swoop, and which illustrate the fact that choosing a quality password is just one part of password hygiene.

In a recent interview, Facebook CSO Alex Stamos claims password reuse is one of the biggest online dangers to user accounts.

"The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords," he said in an interview with TechCity.

In fact, a report out last week from Shape Security reports that reused passwords are fueling a credential-stuffing hacking bonanza online today. The firm released a report that showed 90% of today's enterprise login traffic comes from attackers automatically trying passwords stolen from one site in login screens at other sites in order to takeover accounts.

Shape reports that they're successful about 2% of the time--a very lucrative rate when they play the numbers game with millions of stolen credentials stuffed across hundreds of sites online.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2017 | 1:14:03 PM
Re: Counter user laziness with passowrd management
> convenient and easy to memorize passwords.

> enforce a combination of alphanumerical, symbol and Caps letters would be a first step

You see the problem here, right?  ;)
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 6:04:30 PM
Counter user laziness with passowrd management
What a shocker! Users are lazy and use convenient and easy to memorize passwords. Corporations, for which protecting sensitive data is vital, password management solutions that would enforce a combination of alphanumerical, symbol and Caps letters would be a first step. identity governance and user behavior are a must.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:22:15 AM
Meanwhile, to us security-sensitive...
Somebody I know once purposely changed a relatively secure password of theirs to one of the passwords on this list, in front of me, simply to annoy me because of how password-paranoid I am.

The password wasn't guarding anything particularly sensitive, but still.  It was like fingernails on a chalkboard.

(At least they eventually changed it back to something non-idiotic.)
GavinD077
50%
50%
GavinD077,
User Rank: Apprentice
1/23/2017 | 3:52:17 PM
Time is called Ladies & Gents
Okay, it is time to publicly admit that PASSWORDS are not working as a method of authentication. It doesn't matter how many times you flog a dead horse, it isn't go to get up and run the golden mile and let you win big - the same goes for passwords folks. So, where to next??? We are overdue a replacement for passwords that will be end user friendly and simple. Let's face it people, we humans are inherently lazy. Ideas people......
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...
CVE-2018-12559
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequ...
CVE-2018-12560
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring.