2017 Worst Passwords Include Repeat Offenders Like 123456
Despite repeated warnings from IT security professionals, many people are still using insecure and easily guessed passwords such as "123456" and "password," according to the seventh annual Worst Passwords report from the identity protection company SplashData.
The Los Gatos, Calif.-based company compiles its annual list from the millions of passwords revealed by security breaches and leaks over the course of the year. In addition to repeat offenders such as "123456" and "password," which have appeared at the top of SplashData's list for the past four years, new leading contenders for worst password in 2017 include "starwars" in 16th place.
Online breaches and hacks this year have threatened the usernames and passwords of billions of people. For example, a single file discovered recently on the dark web contained a database of 1.4 billion user credentials in unencrypted cleartext.
'Hackers Know Your Tricks'
By using common passwords, online users are increasing their risks of losing valuable data to hackers, according to SplashData CEO Morgan Slain. Even variations that add extra numbers or replace the letter "o" with the numeral "0" are easy to guess, leaving people who use them vulnerable.
"Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure," Slain said in a statement. "Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online."
After the returning top two worst passwords, other leading entries on this year's list include "12345678," "qwerty," "12345," "123456789," "letmein," "1234567," "football," and "iloveyou." In addition to "starwars," other new entries for 2017 include "whatever," "trustno1," and "qazwsx." That last password, based on the leftmost keys on a standard keyboard, demonstrates "the importance of avoiding simple patterns," SplashData said.
Use Password Managers, 2FA
A recent study by Microsoft partner EPCGroup found that men tend to use "password" more often than women, and women tend to choose longer passwords that can include the names of their significant others. Other insecure password practices identified in that study included the use of the names of sports teams, the use of personal information, such as pet names, writing down and storing password lists near computers or on cellphones, and sharing passwords with others.
In addition to choosing strong, hard-to-guess passwords, many security experts recommend that people use a password manager and two-factor authentication to keep their credentials secure.
"One alternative to creating and remembering strong, lengthy and complex passwords for every important site you deal with is to outsource this headache to a password manager," security writer Brian Krebs noted on his blog this week. "If the online account in question allows 2-factor authentication (2FA), be sure to take advantage of that."
Krebs added, "Two-factor authentication makes it much harder for password thieves (or their customers) to hack into your account just by stealing or buying your password: If you have 2FA enabled, they also would need to hack that second factor (usually your mobile device) before being able to access your account."
Earlier this year, the U.S. National Institute of Standards and Technology updated its digital identity guidelines with new advice for passwords. They include using password managers, putting less reliance on artificially complex passwords, and not changing or replacing passwords unless the old credentials have been compromised.