Last Year’s 25 Worst Passwords Reinforce Strong Passwords Matter

Last Year’s 25 Worst Passwords Reinforce Strong Passwords Matter

Enterprise security begins with strong passwords.

Passwords are the most common way to authenticate access. At home, on the job, and using social networks, applications require passwords. As the systems you log into increase, you assume greater risk. This is true for one reason. Most passwords are weak and in all likelihood, you use them. With enterprise security, users are vulnerability. They can also become a deterrent.

In reusing passwords, you put yourself and an organization at risk. You make an enterprise security breach easier. You increase your likelihood of identity theft. Since 2011, SplashData publishes the year’s 25 most commonly breached passwords. From the report, everyone would benefit from a strong password manager. At work and in our personal lives, our passwords are weak.

SplashData reports the most popular passwords breached in 2015 were:

  1. 123456
  2. password
  3. 12345678
  4. qwerty (Check your keyboard.)
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx (Check your keyboard)
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop (Second keyboard row)
  23. solo
  24. passw0rd (using zero)
  25. starwars

Hard to believe?

How many on the list do you use?

How to Make Strong Passwords

Although not always possible, randomly generated passwords are the securest. For IT, your enterprise password manager should enforce strong policies. When creating passwords, make them hard to guess, yet easy to remember. They should be difficult to hack without much effort on your part.

To make strong passwords, you must understand human behavior. A Linköping University, Sweden study, found 62% of users reuse passwords. 28% reported they never change their passwords. These behaviors reveal what cyber thieves count on. Most people reuse passwords and many never change them. One password can give a lot of access.

As unbelievable as this sounds, many passwords are simply guessed. Relating user behavior, the study found:

  • 4.7% use the password password
  • 8.5% use password or 123456
  • 9.8% use password, 123456 or 12345678
  • 14% use a password from the top 10 passwords
  • 40% use a password from the top 100 passwords
  • 79% use a password from the top 500 passwords
  • 91% use a password from the top 10,000 passwords

Smart guessing is often the first automated cyber strike. Guessing attacks target account’s using short and simplistic passwords. Smart guessing is an efficient hacking use of time. During brute force attacks, top 10,000 password checks open 91% of accounts. For 8 character passwords, attacks take around 26 minutes.

About 70% of passwords contain dictionary words. Dictionary attacks are a variation of smart guessing. These attacks apply multi-language dictionaries to smart guessing. Hacker dictionaries contain words, names, inflections, phrases, abbreviations and hyphenations. Dictionary attacks try all combinations of words up to a certain length.

Passwords that combine dictionary words and random characters require hybrid attacks. These tools combine dictionary attacks with random characters. Hybrid password attacks take longer and often the last record exposed.

Strong Passwords Best Practices

For every organization, security starts with a strong password policy. Strong passwords never include names, phone numbers, or places. They do not contain proper nouns, dictionary words, or repeated characters. They don’t follow patterns or keyboard paths. They never reference birthdays, anniversaries, old addresses, or life events. They do not add single digits to words or spell backwards.

Secure passwords are never reused. They are easy to remember so they’re not written down. They are more than eight characters— the longer the better. They randomly place upper and lower case letters. They include punctuation and special characters when possible. They never reference sports, religion, love or popular culture past and present.

For strong passwords, use phrases rather than words. Do not capitalize to separate words and ideas. Write something about yourself only you know. Pick things transparent to anyone social engineering an attack. Then, apply a little creativity and deviate from norms.

Top 10 Password Management Best Practices -- The proven working guide for successful implementation.Get Your Free Top 10 Password Management Best Practices Guide

Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects and prevent stong passwords.

Request the Workbook

Written by Thomas Edgerton

Thomas Edgerton, Avatier's MVP award-winning Market Analyst and Performance Consultant in information technology, IT security, instructional technology and human factors, blogs on topics ranging from leadership to national security, innovation and deconstructing the future.​