When you think about the amount of personal data that we have on computers, or in our email accounts, it’s surprising how many people continue to choose incredibly bad passwords to protect themselves. SplashData, a company based in California, has been collecting the worst passwords since 2011, and publishing an annual list of the top 25. The latest edition for 2014 was released earlier this month. Although it contains some new additions, the list shows that the worst two passwords in 2013 remained in use in 2014. The study was based on 3.3 million passwords that were leaked online last year.
The fact that so many passwords are made public every year, shows how important it is to take your online security seriously. Most of the leaked information is provided by hackers who have managed to gain access to various websites or to the accounts of individuals. They rely on a considerable number of people selecting easy to guess passwords, either because they relate to the person’s name or date of birth, or a popular sport, film or activity.
Many options exist for people trying to improve the protection of their data, including encryption technology and password management systems. SplashData is itself a password management company, suggesting that it has more than just an observer’s interest in bringing out its annual list of shockingly bad passwords. However, the study does show that the 25 worst passwords to use have seen their popularity drop to 2.2 percent of the overall total. Below you’ll find 14 of the easiest passwords to guess. Statistics suggest that 1 in 50 of us use a password found among the top 20 worst, so there’s a good chance that after reading this, some of you will need to change it quick!
One thing to avoid when selecting your password is cultural references that are widely known, as in the case of this example. Trustno1 was used by special agent Mulder in the X Files, making it a prime candidate to be found out. If this isn’t a problem enough, efforts to hack into your account will often be carried out by machines with dictionaries which can test the full range of words they have stored. This means that thousands of possible options can be tried out in a matter of seconds. Now they’ve even caught up with attempts to substitute numbers for letters, so guessing something like no1, is possible.
This is one battle the Superhero can’t win, apparently. He comes in at 24th on the list, although fans will be relieved to know that Batman offers a little more security than Superman does, who was ranked 21st. The most serious problem with these choices is that they are so widely known. A similar problem exists with brand names and popular products. When a large number of passwords appeared online, following a hack in late 2010, Nintendo was (shockingly, or not) also among the most popular.
Common names are a no go. Michael came in at number 20 on Splashdata’s list, and there were other frequently used first names in the top 50. It doesn’t get any better if you add your date of birth on the end either, as shown by the presence of the years 1989, 1990, 1991 and 1992, in the top 100. Other common names in the top 50 included, Thomas, Jennifer, Hunter and Jordan. As well as being the names most frequently used, a key drawback with using your own name is that so much information is freely available online nowadays, that it would be relatively easy for a hacker to do some research and find out your password.
That’s another mistake: don’t use something with an obvious link to logging in or gaining…access. It just gives hackers trying to get at your personal info an unfair advantage if they can use the log-in screen to help them out. Another example of this is the use of “admin.” Surprisingly, this incredibly weak choice for a password didn’t make it on to the top 25 this time around, but in 2013, it was ranked the 12th weakest of the year. As well as being a word with an obvious association to logging in, it’s also much too short for a secure option. To avoid this, more websites now insist that a password is longer than a minimum number of characters.
Number patterns are bad, and this isn’t even complicated enough to be a pattern. So avoid choosing this as your next email log-in. Other dangerous choices that make use of number or letter patterns included 69696 and abc123. Combining letters and numbers is generally a good thing when it comes to building a strong password, but certainly not like this. Not only does it rhyme, but there’s also the Jackson 5 reference. For both 2013 and 2014, abc123 comfortably made the top 20 worst password list. Choosing a more complex combination of letters and numbers will strengthen the password considerably, particularly if it avoids an obvious sequence.
Proving that new attempts by websites to compel users to create longer passwords won’t necessarily resolve the problem, this is the entry at number 6 for the year 2014. Various strings of numbers made it in to the top 25 list, among them 1234567 and 12345. A closely related mistake when choosing a password is to use strings of letters based on where they are located on the keyboard, such as with qwerty or azerty. Azerty was maybe seemed as a step up in security from qwerty, which continues to make the top five worst passwords. But azerty is nearly as bad, coming in at 24th on the list in 2013.
At least if you shout this in real life the person on the other side of the door can probably figure out who you are from your voice. But computers don’t have that luxury. Moreover, like access and admin, it has the disadvantage of being far too obviously linked with the log-in process. This isn’t the only common phrase that’s best to avoid. Another bad choice to make is iloveyou. It’s best to leave this phrase for a time and place when it is appropriate, and that’s not on your computer’s start-up screen. In its 2013 list, Splashdata put this everyday expression at number 9.
If you live in the US, it means NFL and in the UK, it means soccer. Either way, it’s a popular sport and probably one of the first guesses someone will make if they want to get into your account. Splashdata had it at number 10 on the list. And if you’re a fan of other popular sports, things don’t look much better. Baseball was also in the top 10, while soccer, hockey and golf all came in the top 100. Other hobbies don’t fair much better. Mustang, the famous car model, made it to the top 20, probably because it is frequently used in connection with online car clubs and by people with an obvious interest in the vehicle.
4) Microsoft, Hotmail, Google
In its 2013 release, Splashdata pointed out the large number of people using the name of the application or website they are accessing as their password. As well as being an extremely obvious option for hackers to guess, there’s a good chance that they’ll be able to figure out your password for every site you use, if this is a pattern that is being followed consistently when choosing a password. Particularly bad examples of this were revealed by hacks on adobe in 2013. Some of the leaked passwords published online were adobe123 and even photoshop.
Online experts appear baffled by this one but for some reason, it always shows up in the lists of passwords to avoid. It has been among the 20 most commonly used passwords over the past two years, so there’s a good chance it will be on the list of options of any hacker to try out. Other words that may not appear obvious at first glance also come in high on the list of passwords to avoid, like shadow. Maybe it’s because it gives people the idea of creeping around unseen, or perhaps it just doesn’t appear to be a very common word. Turns out that in terms of passwords, both of these ideas are misleading. For those who thought about taking the opposite route and going with sunshine, things aren’t much better, it came in the 20th place.
Believe it or not, there are still some people who go with this option to secure their emails. It reached number 2 on the Splashdata list for 2014. Up until 2013, it had also been the most common choice on the internet, at least since 2011, when the list was first published. Popular variations on this included adding a 1 to the end, or using numbers in place of some of the letters, as in pa55word. Some even use their date of birth in conjunction with password, again a bad idea given that this information is probably sitting on the front page of your Facebook profile for all to see.
The research deemed this to be the simplest code to crack in 2014. As explained earlier, using numbers or characters found next to each other is a bad idea if you’re trying to stay safe. However, there are still a lot of people who don’t seem to realize that. Almost every time large quantities of passwords are stolen and published online, 123456 comes out on top as the most used password among the sample. By drawing the attention of internet users to this dangerous tendency, Splashdata is hoping that its annual lists will help bring a turn away from weak passwords, to a more security conscious approach.