Every year, a company that designs password generation software, called Keeper Security, publishes a blog post about the year’s worst passwords ranked by popularity. Some of their sources include public data breaches that occurred in the past year, as well as newly generated lists of passwords, a number of different hashes associated with them, and occasionally the odd hardware breach that reveals how the random salt is generated. They recently published 2016’s passwords and boy, people never seem to learn.
2016 was a hectic year when it came to enormous hacks. Yahoo revealed that it had been breached twice in the last three years. Cryptoviruses like Locky and Surprise used mailing lists available online through publicly searchable hacks to target people en masse. The Democratic National Committee had about 20,000 of their emails leaked to Wikileaks thanks to weak password controls. Equation Group, a NSA-linked hacker group, were themselves hacked by others searching to sell their secret tools online to the highest bidder. Many of these events could have been prevented, but a combination of lax security and arrogance meant that it was bound to happen at some point.
What some people don’t realise, however, is that each new breach gives attackers new information about how passwords are generated and stored, and it gives them new insights into how people make up their own passwords. You could have had “correcthorsebatterystaple” as your login for Yahoo and a bunch of other accounts for years, and if you didn’t know that your account details had been leaked and sold to others, you might have suffered severe loss when your other accounts were taken over. Choosing strong passwords is a choice that you make, whether it be through thinking up ones on your own, or using a password manager, and it helps protect your online identity if one of your accounts is ever breached (and it will, I guarantee you).
Keeper Security’s top 25 list of bad and unsurprisingly popular passwords hasn’t changed much in the last few years, but a few new entries are quite interesting:
While “123456” goes another year as the most used bad password in the world, “google” and “quertyuiop” are no longer in the top ten, possibly because less people are using those passwords for their accounts. Rather amusingly, “123456” and other passwords like it still feature because people are using them to get around minimum character requirements, and somehow the systems that are designed to prevent the use of these obviously dumb passwords aren’t flagging them correctly.
Some new additions to the list also highlight a change in the direction of account hacks that people need to take note of. “1q2w3e4r” and “1q2w3e4r5t” are keyboard patterns that people now use frequently, and their inclusion on the list suggests that dictionary or brute force attacks will now incorporate keyboard patterns in an effort to guess passwords more quickly. If you use one, as I’ve done before, you need to change it to something else. Including punctuation in such a password might extend the time it takes to break it, but only for a brief amount of time.
Keeper also notes that “18atcskd2w” and “3rjs1la7qe” are examples of passwords that are used and generated by bots when setting up fake accounts. Bots use bad passwords too, it seems.
If you’re unsure about where to go from here, start by utilising a password manager that generates strong passwords for you across multiple devices. LastPass, Keeper, Dashlane, and RoboForm are all multi-platform password managers, with free and paid versions that you can look at. If you want more security with or without using a password manager, you should also look at utilising two-factor authentication for all your online accounts. You should also make use of TwoFactorAuth, an online database of companies that have online services that support this kind of thing, and most recently Sony set up a rather robust 2FA system that everyone should use if you play online.
If you want to just change all the ones you have now before looking into more advanced solutions, use this website to generate some random passwords that will be easy to remember. Make 2017 the year that you stop using bad passwords!