Internet users continue to put their security at risk by using generic passwords such as “123456” and “password”, despite widespread advice to create more unique and secure codes.
Both “123456” and “password” have held the top two spots on SplashData’s annual list of leaked passwords since the first list in 2011 and data released by SplashData yesterday shows 2015 was no different.
The top 10 passwords on the 2015 list are dominated by numerical passwords, with football, baseball and ‘qwerty’ also among the least secure passwords being used online.
However, it seems the latest Star Wars movie may also have been front of mind when internet users were creating passwords in 2015, with ‘starwars’ coming in at number 25 on the list.
Other additions to the 2015 list that did not appear on the same list in 2014, include “princess”, “solo”, “login” and “welcome”.
The list is compiled from more than 2 million passwords that were leaked online during 2015, with the majority of passwords evaluated coming from users in North American and Western Europe.
Michael McKinnon, security awareness director at AVG, told SmartCompany this morning creating and re-using generic passwords is part of “human nature”.
“Passwords are annoying,” he says.
“We have so many things to log into these days and it is very hard to keep track of all our passwords.”
Faced with increasing numbers of online retailers and service providers requiring users to create accounts, McKinnon says it is not surprising that people have a “natural tendency” to fall back on generic passwords, especially if they are pressed for time.
However, McKinnon says lists such as those produce by SplashData show that even variations on generic passwords that substitute letters for numbers or add capital letters to the start of words are still not safe.
“Those techniques just aren’t secure and we need to get out of the habit of going that,” he says.
Business owners putting their security at risk
McKinnon says the risk of using generic or well-known passwords for business owners is two-fold.
“The risk for any business owner is your staff may be creating passwords like these and that potentially exposes the company’s accounts and services to attacks,” he says.
“They should make sure their own passwords are safe and secure but also get the message out to staff members.”
McKinnon says it is relatively easy to create secure passwords by using at least 12 characters, a combination of upper and lower case characters, and a mix of numbers and symbols. He also recommends considering using multiple words or a phrase in a password.
But the other important piece of the puzzle is to not re-use the same password across multiple accounts, even if it is a strong password.
“The trick here as well is as we get better at creating more complex passwords, they become harder to remember and we tend to be tempted to re-use them across multiple systems,” he says.
“That is the biggest weakness we face.”
“A long and secure passwords is a must but it should also be reasonably unique for every account.”
The 25 passwords most likely to be hacked in 2015, according to SplashData are:
Rank |
Password |
Change in rank from 2014 |
1 |
123456 |
Unchanged |
2 |
password |
Unchanged |
3 |
12345678 |
Up 1 |
4 |
qwerty |
Up 1 |
5 |
12345 |
Down 2 |
6 |
123456789 |
Unchanged |
7 |
football |
Up 3 |
8 |
1234 |
Down 1 |
9 |
1234567 |
Up 2 |
10 |
baseball |
Down 2 |
11 |
welcome |
New |
12 |
1234567890 |
New |
13 |
abc123 |
Up 1 |
14 |
111111 |
Up 1 |
15 |
1qaz2wsx |
New |
16 |
dragon |
Down 7 |
17 |
master |
Up 2 |
18 |
monkey |
Down 6 |
19 |
letmein |
Down 6 |
20 |
login |
New |
21 |
princess |
New |
22 |
qwertyuiop |
New |
23 |
solo |
New |
24 |
Passw0rd |
New |
25 |
starwars |
New |