Endpoint //

Authentication

1/23/2017
03:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

'123456' Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

It may be a ho-hum fact for many longtime security practitioners, but it nevertheless remains a fact that most users' password hygiene stinks. And since the needle on this matter moves about as much as a speedometer needle on an engineless car, the topic clearly bears revisiting. This time the reexamination of poorly chosen password comes by a recent report by SplashData on the worst passwords of 2016.

The team at SplashData took a look a look at more than five million passwords that were stolen from enterprises and leaked to the public last year to get a feel for the types of authentication secrets people use in real world. The results aren't pretty. According to the firm, the most common passwords are also ridiculously insecure - both from a prevalence and ease of guessing standpoint.

Tops on the list was "123456," which makes up about 4% of the sample set, followed closely by "password." In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

 

Also troubling is that the list is littered with many more trivial variations of the top two offenders, with six sequential number variations and three variations of "password."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," says Morgan Slain, CEO of SplashData, Inc.

In fact, 2016 also offered up the perfect anecdotal evidence to show the dangers of crummy passwords: the Democratic National Committee (DNC) hack was laid partially at the feet of a negligently chosen password. WikiLeaks' Julian Assange claims that John Podesta, chairperson of Hillary Clinton's 2016 campaign, used a "password" variant for one of his systems, and other reports show that Podesta used a slightly more sophisticated but still easily hacked "Runner4567" for several others. 

It was that second gaffe that allowed attackers to take over multiple online accounts in a fell swoop, and which illustrate the fact that choosing a quality password is just one part of password hygiene.

In a recent interview, Facebook CSO Alex Stamos claims password reuse is one of the biggest online dangers to user accounts.

"The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords," he said in an interview with TechCity.

In fact, a report out last week from Shape Security reports that reused passwords are fueling a credential-stuffing hacking bonanza online today. The firm released a report that showed 90% of today's enterprise login traffic comes from attackers automatically trying passwords stolen from one site in login screens at other sites in order to takeover accounts.

Shape reports that they're successful about 2% of the time--a very lucrative rate when they play the numbers game with millions of stolen credentials stuffed across hundreds of sites online.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2017 | 1:14:03 PM
Re: Counter user laziness with passowrd management
> convenient and easy to memorize passwords.

> enforce a combination of alphanumerical, symbol and Caps letters would be a first step

You see the problem here, right?  ;)
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 6:04:30 PM
Counter user laziness with passowrd management
What a shocker! Users are lazy and use convenient and easy to memorize passwords. Corporations, for which protecting sensitive data is vital, password management solutions that would enforce a combination of alphanumerical, symbol and Caps letters would be a first step. identity governance and user behavior are a must.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:22:15 AM
Meanwhile, to us security-sensitive...
Somebody I know once purposely changed a relatively secure password of theirs to one of the passwords on this list, in front of me, simply to annoy me because of how password-paranoid I am.

The password wasn't guarding anything particularly sensitive, but still.  It was like fingernails on a chalkboard.

(At least they eventually changed it back to something non-idiotic.)
GavinD077
50%
50%
GavinD077,
User Rank: Apprentice
1/23/2017 | 3:52:17 PM
Time is called Ladies & Gents
Okay, it is time to publicly admit that PASSWORDS are not working as a method of authentication. It doesn't matter how many times you flog a dead horse, it isn't go to get up and run the golden mile and let you win big - the same goes for passwords folks. So, where to next??? We are overdue a replacement for passwords that will be end user friendly and simple. Let's face it people, we humans are inherently lazy. Ideas people......
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...