Every year, the password manager software company SplashData compiles a list of the 25 most common stolen passwords from the previous 12 months’ publicly disclosed data breaches. 2015’s results have now been published, and they demonstrate one thing: people are still no good at choosing passwords. No good at all.
Here’s the list:
Worst 25 passwords of 2015
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
- baseball
- welcome
- 1234567890
- abc123
- 111111
- 1qaz2wsx
- dragon
- master
- monkey
- letmein
- login
- princess
- qwertyuiop
- solo
- passw0rd
- starwars
Weak – and reused – passwords are a common point of intrusion for cyber criminals. It’s not just these 25 that you need to worry about, either. Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that “according to a 2011 study of 6 million user-generated passwords, 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software and commodity personal computer hardware.”
So, how do you ensure your staff don’t put your organisation at risk with their poor password habits?
First, a password manager will enable you to create strong passwords for each of your online accounts, and change them with suitable regularity. Such passwords are unlikely to feature on lists of stolen passwords like the above, and are significantly less likely to be brute-forced than the likes of 123456 and password.
A strong passwords is all well and good, but, no matter how strong it is, a password is a single authentication factor. If it becomes widely known, it offers no barrier to access. This is why you need to combine passwords with other authentication factors such as a one-time password or secret question. (Think of your bank card and PIN combination as an example: you need both factors to access your account at an ATM.)