Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

1/20/2015
04:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'123456' & 'Password' Are The 2 Most Common Passwords, Again

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

"123456" and "password" continue to be the two most common passwords found on the Internet, thus reining SplashData's annual "Worst Password List" for the fourth year in a row. New entrants to the top 25 this year show that bad password creators are fans of sports, superheroes, dragons, and not-safe-for-work numeral combinations.

This is the fourth year SplashData has identified the most popular passwords by compiling sets of credentials leaked online. This year's study looked at more than 3.3 million leaked passwords, mostly from users in North America and Western Europe. 

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years,” said Mark Burnett, author of “Perfect Passwords,” who worked with SplashData on this year's study.

“The good news," says Burnett, "is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

Nine of the top twenty-five most common passwords were all numerals, and fourteen of them were all lowercase letters. The other two were a combination of lowercase letters and numerals ("abc123" and "trustno1").

Not a single capital letter or special character made the cut. Most of the common passwords were no more than six characters long. Nine of the top 25 choices were simply dictionary words. All this shows that few places are enforcing any kind of strong password policy.

New to the top 25 were "baseball" and "football." Other lowercase sports and sports teams were found in the top 100. For the more whimsical security-unsavvy users, "dragon," "superman," and "batman" jumped into the top 25 also.

In addition to "password," which ranked second, users were fond of "letmein," "trustno1," and "access," which is new to the list.

No swear words made it into the top 25, but SplashData says they remain popular. The password "iloveyou," which was in the top 25 last year, has fallen off the list entirely, "696969" has taken its place.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/21/2015 | 10:23:57 AM
System Administrators and Policy Configurations
I think options are the worst part of creating a password. UserID's and passwords are in nature restrictive. Restrictive to the assets and information they provide to the owner. I think responsibility of password complexity needs to shift to site and system administrators as well as any person who is responsible for password configuration policies. This restrictive nature needs to be encompassed throughout the password policy. It's a widely regarded human nature to try and take the quickest, easiest route possible. But if the easiest route possible is a complex password than the user has no other option then to be compliant and try to be secure.


Policy Configuration factors: length, alphanumeric & special character, password life, and password retention (not using the same password until a certain amount of new passwords have been derived), etc.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2015 | 8:30:06 AM
Re: Blame the networking vendor amongst the other things
That's outrageuos @tompiotrowski. Thanks for pointing out that end users aren't the only one culpable in nor taking basic security best practices seriously enough.
tompiotrowski
100%
0%
tompiotrowski,
User Rank: Apprentice
1/20/2015 | 11:00:40 PM
Blame the networking vendor amongst the other things
Have you ever purchased simple or complex networking device?  Switch, router, DSL gateway etc?  Cisco, D-Link, Belkin, just to name few are supplying the products with a rather "sophisticated" administrator logins:  ADMIN and PASSWORD.  Whilst the end users cannot be cleared from responsibility of keeping their accounts secure, the "examples" set by industry leaders are equally to blame.   
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.