Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/23/2017
03:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'123456' Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

It may be a ho-hum fact for many longtime security practitioners, but it nevertheless remains a fact that most users' password hygiene stinks. And since the needle on this matter moves about as much as a speedometer needle on an engineless car, the topic clearly bears revisiting. This time the reexamination of poorly chosen password comes by a recent report by SplashData on the worst passwords of 2016.

The team at SplashData took a look a look at more than five million passwords that were stolen from enterprises and leaked to the public last year to get a feel for the types of authentication secrets people use in real world. The results aren't pretty. According to the firm, the most common passwords are also ridiculously insecure - both from a prevalence and ease of guessing standpoint.

Tops on the list was "123456," which makes up about 4% of the sample set, followed closely by "password." In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

 

Also troubling is that the list is littered with many more trivial variations of the top two offenders, with six sequential number variations and three variations of "password."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," says Morgan Slain, CEO of SplashData, Inc.

In fact, 2016 also offered up the perfect anecdotal evidence to show the dangers of crummy passwords: the Democratic National Committee (DNC) hack was laid partially at the feet of a negligently chosen password. WikiLeaks' Julian Assange claims that John Podesta, chairperson of Hillary Clinton's 2016 campaign, used a "password" variant for one of his systems, and other reports show that Podesta used a slightly more sophisticated but still easily hacked "Runner4567" for several others. 

It was that second gaffe that allowed attackers to take over multiple online accounts in a fell swoop, and which illustrate the fact that choosing a quality password is just one part of password hygiene.

In a recent interview, Facebook CSO Alex Stamos claims password reuse is one of the biggest online dangers to user accounts.

"The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords," he said in an interview with TechCity.

In fact, a report out last week from Shape Security reports that reused passwords are fueling a credential-stuffing hacking bonanza online today. The firm released a report that showed 90% of today's enterprise login traffic comes from attackers automatically trying passwords stolen from one site in login screens at other sites in order to takeover accounts.

Shape reports that they're successful about 2% of the time--a very lucrative rate when they play the numbers game with millions of stolen credentials stuffed across hundreds of sites online.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
GavinD077
50%
50%
GavinD077,
User Rank: Apprentice
1/23/2017 | 3:52:17 PM
Time is called Ladies & Gents
Okay, it is time to publicly admit that PASSWORDS are not working as a method of authentication. It doesn't matter how many times you flog a dead horse, it isn't go to get up and run the golden mile and let you win big - the same goes for passwords folks. So, where to next??? We are overdue a replacement for passwords that will be end user friendly and simple. Let's face it people, we humans are inherently lazy. Ideas people......
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:22:15 AM
Meanwhile, to us security-sensitive...
Somebody I know once purposely changed a relatively secure password of theirs to one of the passwords on this list, in front of me, simply to annoy me because of how password-paranoid I am.

The password wasn't guarding anything particularly sensitive, but still.  It was like fingernails on a chalkboard.

(At least they eventually changed it back to something non-idiotic.)
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 6:04:30 PM
Counter user laziness with passowrd management
What a shocker! Users are lazy and use convenient and easy to memorize passwords. Corporations, for which protecting sensitive data is vital, password management solutions that would enforce a combination of alphanumerical, symbol and Caps letters would be a first step. identity governance and user behavior are a must.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2017 | 1:14:03 PM
Re: Counter user laziness with passowrd management
> convenient and easy to memorize passwords.

> enforce a combination of alphanumerical, symbol and Caps letters would be a first step

You see the problem here, right?  ;)
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.