Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/19/2016
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SplashDatas fifth annual Worst Passwords List shows people continue putting themselves at risk

While longer passwords debut on this year's list of most commonly used passwords, they are not necessarily more secure

SplashData has announced the 2015 edition of its annual “Worst Passwords List” highlighting the insecure password habits of Internet users. “123456” and “password” once again reign supreme as the most commonly used passwords, as they have since SplashData’s first list in 2011, demonstrating how people’s choices for passwords remain consistently risky.

In SplashData’s fifth annual report, compiled from more than 2 million leaked passwords during the year, some new and longer passwords made their debut – perhaps showing an effort by both websites and web users to be more secure. However, the longer passwords are so simple as to make their extra length virtually worthless as a security measure.

For example, “1234567890”, “1qaz2wsx” (first two columns of main keys on a standard keyboard), and “qwertyuiop” (top row of keys on a standard keyboard) all appear in the top 25 list for the first time, but they are each based on simple patterns that would be easily guessable by hackers.

As in past years’ lists, simple numerical passwords remain common, with six of the top 10 passwords on the 2015 list comprised of numbers only.

Sports remain a popular password theme. While baseball may be America’s pastime, “football” has overtaken it as a popular password. Both appear in the Top 10 of SplashData’s list, with “football” climbing three spots to number seven and “baseball” dropping two spots to number 10.

When it comes to movies and pop culture, The Force may be able to protect the Jedi, but it won’t secure users who choose popular Star Wars terms such as "starwars," "solo," and "princess" as their passwords. All three terms are new entries on this year’s list.

Other passwords appearing on the 2015 list that did not appear on the 2014 list include “welcome”, “login” and “passw0rd.”

SplashData, provider of password management applications including SplashID for consumers and TeamsID for businesses, releases its annual list in an effort to encourage the adoption of stronger passwords to improve Internet security. According to SplashData, the passwords evaluated for the 2015 list were mostly held by users in North America and Western Europe. The “Worst Passwords List” shows that many people continue to put themselves at risk for hacking and identity theft by using weak, easily guessable passwords.

“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” said Morgan Slain, CEO of SplashData. “As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

Presenting SplashData’s “Worst Passwords of 2015”:

1 - 123456 (unchanged from 2014) 
2 - password (unchanged) 
3 - 12345678 (Up 1) 
4 - qwerty (Up 1) 
5 - 12345 (Down 2) 
6 - 123456789 (Unchanged) 
7 - football (Up 3) 
8 - 1234 (Down 1) 
9 - 1234567 (Up 2) 
10 - baseball (Down 2) 
11 - welcome (New) 
12 - 1234567890 (New) 
13 - abc123 (Up 1) 
14 - 111111 (Up 1) 
15 - 1qaz2wsx (New) 
16 - dragon (Down 7) 
17 - master (Up 2) 
18 - monkey (Down 6) 
19 - letmein (Down 6) 
20 - login (New) 
21 - princess (New) 
22 - qwertyuiop (New) 
23 - solo (New) 
24 - passw0rd (New) 
25 - starwars (New)

SplashData offers three simple tips to help people protect themselves: 

  • Use passwords or passphrases of twelve characters or more with mixed types of characters
  • Avoid using the same password over and over again on different websites
  • Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites

 

For more information on SplashData's last five years of research into commonly used passwords, please visit:http://content.teamsid.com/worst-passwords-ebook

# # #

About SplashData: 
SplashData has been a leading provider of password management applications for over 15 years. The company’s SplashID (http://www.splashid.com) consumer application has grown to be one of the most trusted multi-platform password solutions with over 1 million users worldwide. SplashID’s popularity continues to rise as the number of user names, passwords, and account numbers most people have to remember is rapidly multiplying. At the same time, the risk of this kind of sensitive information falling into the wrong hands has never been greater. SplashID helps solve this dilemma by creating an encrypted digital safe available on smartphones, computers, USB keys, or online, offering the peace of mind of being able to access critical information whenever needed while maintaining the security of 256-bit encryption. The company’s business password manager TeamsID (http://www.teamsid.com) enables organizations to manage and share passwords and other sensitive records easily and securely. SplashData was founded in 2000 and is based in Los Gatos, CA.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18898
PUBLISHED: 2020-01-23
UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14...
CVE-2019-19837
PUBLISHED: 2020-01-23
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests.
CVE-2020-7210
PUBLISHED: 2020-01-23
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
CVE-2019-19835
PUBLISHED: 2020-01-23
SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...