Think your email password is so clever no one could possibly guess it? Think again. SplashData has released its annual list of the ‘worst passwords’.
For the first year since the list launched, ‘password’ has been knocked off the top spot, replaced this year with ‘123456’ as the most popular password.
Some less predictable passwords to make the list of the 25 worst passwords include ‘letmein’, ‘trustno1’ and ‘monkey’.
The passwords were determined based on data from millions of stolen passwords, including Adobe’s well-publicised security breach.
SplashData chief executive Morgan Slain said in a blog post people continue to put themselves at risk by using weak, easily guessed passwords.
“Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing,” Slain says.
“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies. For example, new to this year’s list are simple and easily guessable passwords like ‘1234’ at #16, ‘12345’ at #20, and ‘000000’ at #25.”
Other common passwords included ‘qwerty’, ‘111111’ and ‘Iloveyou’, all placing in the top 10.
Fronde chief technology officer James Valentine told SmartCompany secure passwords are more important than ever, although they’re only a minor defence against hackers.
“There is a whole lot of computer science literature which describes the characteristics of an effective password, but generally the longer the password the more secure it is,” he says.
“This is because of the number of combinations required to hack it. The length is primary, and second to that is the number of different types of characters.”
SplashData recommends using passwords of eight characters or more with mixed types of characters, but it says not to make it so difficult you don’t remember it.
“One way to create more secure passwords that are easy to recall is to use passphrases — short words with spaces or other characters separating them,” it says.
“It’s best to use random words rather than common phrases. For example, ‘cakes years birthday’ or ‘smiles_light_skip?’”
Valentine says everyone has had the experience of signing up to a website and being forced to create a challenging password.
“Some conditions are sensible, but others are just arbitrary and frustrating. If you force people to create a password they can’t remember you’ll make them create a bad password,” he says.
“The real solution is people should stop creating passwords themselves. There are password generation tools available and then the passwords are stored in a secure vault and you don’t have to think of a new password for each site.”
Valentine says one of the worst things to do is reuse passwords on a variety of sites.
“Reusing passwords across multiple websites means if a security breach occurs then the attackers can login to the person’s email and social media accounts too,” he says.
“It comes down to what each website supports, but one good thing some websites do is let people login with their Facebook or Gmail identity. Others also have two-factor identification process. One thing consumers can do is to use a new browser like Google Chrome and make sure they’re careful when using a public computer.”