Endpoint
1/21/2014
03:47 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

'Password' Unseated By '123456' On Splashdata's Annual 'Worst Passwords' List

List shows that many people continue to put themselves at risk by using weak, easily guessable passwords

SplashData has announced its annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, "password" has lost its title as the most common and therefore Worst Password, and two-time runner-up "123456" took the dubious honor. "Password" fell to #2.

According to SplashData, this year's list was influenced by the large number of passwords from Adobe users posted online by security consulting firm Stricture Consulting Group following Adobe's well publicized security breach.

"Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," says Morgan Slain, CEO of SplashData.

SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include "qwerty," "abc123," "111111," and "iloveyou."

"Another interesting aspect of this year's list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies," Slain said. For example, new to this year's list are simple and easily guessable passwords like "1234" at #16, "12345" at #20, and "000000" at #25.

SplashData, provider of the SplashID Safe line of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords. "As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

Presenting SplashData's "Worst Passwords of 2013" (including Rank and Change from 2012):

1. 123456 (Up 1)

2. password (Down 1)

3. 12345678 (Unchanged)

4. qwerty (Up 1)

5. abc123 (Down 1)

6. 123456789 (New)

7. 111111 (Up 2)

8. 1234567 (Up 5)

9. iloveyou (Up 2)

10. adobe123 (New)

11. 123123 (Up 5)

12. admin (New)

13. 1234567890 (New)

14. letmein (Down 7)

15. photoshop (New)

16. 1234 (New)

17. monkey (Down 11)

18. shadow (Unchanged)

19. sunshine (Down 5)

20. 12345 (New)

21. password1 (Up 4)

22. princess (New)

23. azerty (New)

24. trustno1 (Down 12)

25. 000000 (New)

SplashData's top 25 list was compiled from files containing millions of stolen passwords posted online during the previous year. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

SplashData suggests making passwords more secure with these tips:

Use passwords of eight characters or more with mixed types of characters. But even passwords with common substitutions like "dr4mat1c" can be vulnerable to attackers' increasingly sophisticated technology, and random combinations like "j%7K&yPx$" can be difficult to remember. One way to create more secure passwords that are easy to recall is to use passphrases -- short words with spaces or other characters separating them. It's best to use random words rather than common phrases. For example, "cakes years birthday" or "smiles_light_skip?"

Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online email, social networking, or financial service sites. Use different passwords for each new website or service you sign up for.

Having trouble remembering all those different strong passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. There are numerous applications available, but choose one with a strong track record of reliability and security like SplashID Safe, which has a 10 year history and over 1 million users. SplashID Safe has versions available for Windows and Mac as well as smartphones and tablet devices.

About SplashData:

SplashData has been a leading provider of password management applications for over 10 years. SplashID Safe (www.splashid.com) has grown to be most trusted multiplatform password solution for both the consumer and enterprise markets with over 1 million users worldwide. SplashID Safe's popularity continues to rise as the number of user names, passwords, and account numbers most people have to remember is rapidly multiplying. At the same time, the risk of this kind of sensitive information falling into the wrong hands has never been greater. SplashID Safe helps solve this dilemma by creating an encrypted digital safe available on smartphones, computers, USB keys, or online, offering the peace of mind of being able to access critical information whenever needed while maintaining the security of 256-bit encryption.

SplashData was founded in 2000 and is based in Los Gatos, CA.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.