Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

1/20/2015
04:30 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'123456' & 'Password' Are The 2 Most Common Passwords, Again

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

"123456" and "password" continue to be the two most common passwords found on the Internet, thus reining SplashData's annual "Worst Password List" for the fourth year in a row. New entrants to the top 25 this year show that bad password creators are fans of sports, superheroes, dragons, and not-safe-for-work numeral combinations.

This is the fourth year SplashData has identified the most popular passwords by compiling sets of credentials leaked online. This year's study looked at more than 3.3 million leaked passwords, mostly from users in North America and Western Europe. 

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years,” said Mark Burnett, author of “Perfect Passwords,” who worked with SplashData on this year's study.

“The good news," says Burnett, "is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

Nine of the top twenty-five most common passwords were all numerals, and fourteen of them were all lowercase letters. The other two were a combination of lowercase letters and numerals ("abc123" and "trustno1").

Not a single capital letter or special character made the cut. Most of the common passwords were no more than six characters long. Nine of the top 25 choices were simply dictionary words. All this shows that few places are enforcing any kind of strong password policy.

New to the top 25 were "baseball" and "football." Other lowercase sports and sports teams were found in the top 100. For the more whimsical security-unsavvy users, "dragon," "superman," and "batman" jumped into the top 25 also.

In addition to "password," which ranked second, users were fond of "letmein," "trustno1," and "access," which is new to the list.

No swear words made it into the top 25, but SplashData says they remain popular. The password "iloveyou," which was in the top 25 last year, has fallen off the list entirely, "696969" has taken its place.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tompiotrowski
100%
0%
tompiotrowski,
User Rank: Apprentice
1/20/2015 | 11:00:40 PM
Blame the networking vendor amongst the other things
Have you ever purchased simple or complex networking device?  Switch, router, DSL gateway etc?  Cisco, D-Link, Belkin, just to name few are supplying the products with a rather "sophisticated" administrator logins:  ADMIN and PASSWORD.  Whilst the end users cannot be cleared from responsibility of keeping their accounts secure, the "examples" set by industry leaders are equally to blame.   
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2015 | 8:30:06 AM
Re: Blame the networking vendor amongst the other things
That's outrageuos @tompiotrowski. Thanks for pointing out that end users aren't the only one culpable in nor taking basic security best practices seriously enough.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/21/2015 | 10:23:57 AM
System Administrators and Policy Configurations
I think options are the worst part of creating a password. UserID's and passwords are in nature restrictive. Restrictive to the assets and information they provide to the owner. I think responsibility of password complexity needs to shift to site and system administrators as well as any person who is responsible for password configuration policies. This restrictive nature needs to be encompassed throughout the password policy. It's a widely regarded human nature to try and take the quickest, easiest route possible. But if the easiest route possible is a complex password than the user has no other option then to be compliant and try to be secure.


Policy Configuration factors: length, alphanumeric & special character, password life, and password retention (not using the same password until a certain amount of new passwords have been derived), etc.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...