'Worst passwords of 2014' reveals that people simply don't care about security

Shawn Knight

Shawn Knight

Posts: 15,289   +192
Staff member

worst hacking security passwords popular passwords stolen passwords

Exactly one year ago today, SplashData revealed its third annual list of the top 25 worst passwords found on the Internet. Unsurprisingly, things really didn’t change all that much in 2014 as people continue to use weak passwords despite the consequences.

SplashData compiled its list from more than 3.3 million leaked passwords during the year, most of which were held by people in North American and Western Europe. As we’ve seen in past years’ lists, simple numerical passwords remain common with nine of the top 25 passwords on the list comprised of numbers only.

Perhaps worst of all, however, is the fact that the top two spots remain unchanged from last year. Either way, here’s the complete list of the top 25 worst passwords for 2014.

1    123456 (Unchanged from 2013) 
2    password (Unchanged) 
3    12345 (Up 17) 
4    12345678 (Down 1) 
5    qwerty (Down 1) 
6    1234567890 (Unchanged) 
7    1234 (Up 9) 
8    baseball (New) 
9    dragon (New) 
10    football (New) 
11    1234567 (Down 4) 
12    monkey (Up 5) 
13    letmein (Up 1) 
14    abc123 (Down 9) 
15    111111 (Down 8) 
16    mustang (New) 
17    access (New) 
18    shadow (Unchanged) 
19    master (New) 
20    michael (New) 
21    superman (New) 
22    696969 (New) 
23    123123 (Down 12) 
24    batman (New) 

Although the advice will likely fall on deaf ears, SplashData offers three simple tips to help protect users online.

For starters, it’s best to utilize passwords of eight characters or more with mixed types of characters. What’s more, SplashData urges users to avoid using the same username / password combination for multiple websites and last but not least, the use of a password manager like 1Password or LastPass is a good idea.

Permalink to story.

https://www.techspot.com/news/59461-worst-passwords-2014-reveals-people-simply-dont-care.html

 
It is certainly true that too many people consider good security practice a terrible inconvenience. Password managers are a great tool to make password security convenient. If people continue to use easily compromised "passwords," perhaps financial institutions should require smartcards or fingerprint readers. Craig Herberg
 
I think the best way forward is for web designers and their clients to start insisting on every password using numbers, letters (both upper and lower case) and symbols. The end-user will generally go for the easiest route possible so weak passwords will continue to be chosen. Hell, the fact that some account systems don't even allow the user to use symbols is terrible.
 
Grabix said:
This is, and probably always will be, my go-to for people talking about passwords and the need for letter substitutions. They're wrong and need to be told they are wrong.

http://xkcd.com/936/
Click to expand...

You need words, but then you make them into a sentence, long enough no one could guess it and only use the first, or couple of letters, the first and last, or whatnot, you could also make a small 5 by 5 grid with randomized letter and use a mental algorithm in order to get a password out of that, randomized enough to avoid brute force, or who knows, you could do tons of crazy stuff only you can remember or know how to decypher but no one else could, even if they have the grid of characters.
 
I would like to thank all the hackers who went through every weak website ( like Sonys :p ) and taking all their unencrypted information like these here passwords. Or maybe these websites admin passwords were just as weak.
Gives me a few suggestions of ones I can use next though.
 
Grabix said:
This is, and probably always will be, my go-to for people talking about passwords and the need for letter substitutions. They're wrong and need to be told they are wrong.

http://xkcd.com/936/
Click to expand...

No, they're not wrong. That strip is right with the maths it uses but that doesn't negate the fact that letter substitution and the use of symbols and numbers increases password security because it does.

Let's take that example in the strip 'correct horse battery staple' and run a strength test(http://rumkin.com/tools/password/passchk.php):
correct horse battery staple
Length: 28
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 104.2 bits
Charset Size: 27 characters

Now lets do some letter substitution and use a symbol instead of a space:
C00r3ct#H0rs3#B4tt3ry#St4pl3
Length: 28
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 136.9 bits
Charset Size: 72 characters

Notice the Entropy and Charset Size that the hacker is up against?
Now lets increase the Charset Size a little bit by adding a pipe to the beginning and end:
|C00r3ct#H0rs3#B4tt3ry#St4pl3|
Length: 30
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 154.5 bits
Charset Size: 92 characters

And lets add an accent too:
|C00r3ct#H0rs3#B4tt3ry#St4plé|
Length: 30
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 188.9 bits
Charset Size: 252 characters

Letter substitution and symbol use is better than using just letters and spaces. End of. Longer passwords will always be better but the previous rule still holds true.
 
  • Like
Reactions: Kibaruk and JohnCB
The thing is the dumbest idea ever heard. The best phrase meaning passphrase. Just because using uppercase letters and lowercase letters it does not make you any's more secure than somebody who uses a passphrase let's say like "Just left over pizza" easy to remember hard to guess. I would you like to be the admin it would change his passwords reset passwords almost a daily basis because people forget it it's too complex to remember
 
If all used passwords can be counted, then whats the point in having security? Using security means they don't know which passwords people use.

If asked I will likely tell them I use "123456", just to keep from telling them which one I really do use. This research is BS, or we really don't have security no matter how strong our password is.
 
Everyone's missing the point. The problem these days is account overload. I have 77 different accounts (e-mail, social media, shopping, SSID's etc.) I actually do use a different password for every account. Although I have a system in place for doing that and actually remembering what the damn passwords are, most people don't. So what do they do? They either start using the same password for everything, or they use passwords that are so stupid simple, they won't forget them. I have to "have an account" with every single online vendor I make purchases from, from every online service I use. It's ridiculous - 77 frikken accounts. We need to get rid of passwords altogether and come up with something different, like fingerprint.
 
cliffordcooley said:
If all used passwords can be counted, then whats the point in having security? Using security means they don't know which passwords people use.

If asked I will likely tell them I use "123456", just to keep from telling them which one I really do use. This research is BS, or we really don't have security no matter how strong our password is.
Click to expand...

This research comes from hacked sites that get their passwords published, it's not like they go on the street and ask "hey good sir, could you please tell me the passwords you use on a daily basis?"............
 
Kibaruk said:
This research comes from hacked sites that get their passwords published
Click to expand...
OK - Lets ask @Julio Franco if Techspot got hacked how many of our passwords would be revealed. I'm betting the number will be 0, because the passwords are not stored in plain text. And if the top ten are from old accounts, there is no wonder they are staying in the top ten. Wouldn't surprise me because apparently the hacked sites are old and outdated with insecure password listings in plain text.
 
I'm no expert but my understanding is that our backend stores passwords hashed and salted. At the very least, no plain text here :cool:
 
  • Like
Reactions: slamscaper
You must log in or register to reply here.

Similar threads

midian182
Massive data dump containing millions of passwords sparks security alert: Is your data...
Replies
8
Views
284
p51d007
p51d007
Cal Jeffrey
Microsoft left a server containing employee credentials exposed to the internet for a month
Replies
3
Views
94
plambert2015
P
Cal Jeffrey
The worst passwords of 2023 are also the most common, "123456" comes in first
Replies
23
Views
718
Gezzer
G

Latest posts

Back