Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/23/2017
03:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'123456' Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

It may be a ho-hum fact for many longtime security practitioners, but it nevertheless remains a fact that most users' password hygiene stinks. And since the needle on this matter moves about as much as a speedometer needle on an engineless car, the topic clearly bears revisiting. This time the reexamination of poorly chosen password comes by a recent report by SplashData on the worst passwords of 2016.

The team at SplashData took a look a look at more than five million passwords that were stolen from enterprises and leaked to the public last year to get a feel for the types of authentication secrets people use in real world. The results aren't pretty. According to the firm, the most common passwords are also ridiculously insecure - both from a prevalence and ease of guessing standpoint.

Tops on the list was "123456," which makes up about 4% of the sample set, followed closely by "password." In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

 

Also troubling is that the list is littered with many more trivial variations of the top two offenders, with six sequential number variations and three variations of "password."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," says Morgan Slain, CEO of SplashData, Inc.

In fact, 2016 also offered up the perfect anecdotal evidence to show the dangers of crummy passwords: the Democratic National Committee (DNC) hack was laid partially at the feet of a negligently chosen password. WikiLeaks' Julian Assange claims that John Podesta, chairperson of Hillary Clinton's 2016 campaign, used a "password" variant for one of his systems, and other reports show that Podesta used a slightly more sophisticated but still easily hacked "Runner4567" for several others. 

It was that second gaffe that allowed attackers to take over multiple online accounts in a fell swoop, and which illustrate the fact that choosing a quality password is just one part of password hygiene.

In a recent interview, Facebook CSO Alex Stamos claims password reuse is one of the biggest online dangers to user accounts.

"The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords," he said in an interview with TechCity.

In fact, a report out last week from Shape Security reports that reused passwords are fueling a credential-stuffing hacking bonanza online today. The firm released a report that showed 90% of today's enterprise login traffic comes from attackers automatically trying passwords stolen from one site in login screens at other sites in order to takeover accounts.

Shape reports that they're successful about 2% of the time--a very lucrative rate when they play the numbers game with millions of stolen credentials stuffed across hundreds of sites online.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
GavinD077
50%
50%
GavinD077,
User Rank: Apprentice
1/23/2017 | 3:52:17 PM
Time is called Ladies & Gents
Okay, it is time to publicly admit that PASSWORDS are not working as a method of authentication. It doesn't matter how many times you flog a dead horse, it isn't go to get up and run the golden mile and let you win big - the same goes for passwords folks. So, where to next??? We are overdue a replacement for passwords that will be end user friendly and simple. Let's face it people, we humans are inherently lazy. Ideas people......
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:22:15 AM
Meanwhile, to us security-sensitive...
Somebody I know once purposely changed a relatively secure password of theirs to one of the passwords on this list, in front of me, simply to annoy me because of how password-paranoid I am.

The password wasn't guarding anything particularly sensitive, but still.  It was like fingernails on a chalkboard.

(At least they eventually changed it back to something non-idiotic.)
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 6:04:30 PM
Counter user laziness with passowrd management
What a shocker! Users are lazy and use convenient and easy to memorize passwords. Corporations, for which protecting sensitive data is vital, password management solutions that would enforce a combination of alphanumerical, symbol and Caps letters would be a first step. identity governance and user behavior are a must.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/27/2017 | 1:14:03 PM
Re: Counter user laziness with passowrd management
> convenient and easy to memorize passwords.

> enforce a combination of alphanumerical, symbol and Caps letters would be a first step

You see the problem here, right?  ;)
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...