Reaffirming a smaller study released earlier this year, SplashData has published a list of this year's 25 worst passwords. We've seen countless security breaches this year and in many of those cases, the hackers released the stolen data online. SplashData has used that information to compile its list. Although some of the swiped passwords were shamelessly stored in plaintext, most were encrypted. In other words, for the following passwords to even make it on the top 25 list, they must have been cracked. That just further illustrates how worthless they are:
|1. password||6. monkey||11. baseball||16. ashley||21. 654321|
|2. 123456||7. 1234567||12. 111111||17. bailey||22. superman|
|3. 12345678||8. letmein||13. iloveyou||18. passw0rd||23. qazwsx|
|4. qwerty||9. trustno1||14. master||19. shadow||24. michael|
|5. abc123||10. dragon||15. sunshine||20. 123123||25. football|
Naturally, if you're using any of those passwords, you should change them immediately. SplashData offers other tips on securing your Web accounts. For starters, you'll want to use passwords of at least eight characters or more with mixed alphanumerics. Without the help of a service such as LastPass or RoboForm it can be difficult to remember long, randomly generated strings of text. SplashData suggests using memorable short words separated by spaces or other characters such as "eat cake at 8!" or "car_park_city?". Programs such as KeePass can safely store your passwords locally.
"Hackers can easily break into many accounts just by repeatedly trying common passwords. Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft," said SplashData CEO Morgan Slain. "What you don't want is a password that is easily guessable. If you have a password that is short or common or a word in the dictionary, it's like leaving your door open for identity thieves." With attackers on the prowl this holiday season, it's a great time to secure your accounts.
In a completely anecdotal side note, I feel compelled to mention that it seems some people are lured into a false sense of invincibility online. Perhaps it's because of the Web's relative anonymity, their general misunderstanding of the technology, or both. Many of the same individuals would cling to symbols of real world security -- be that an easily bypassed $10 door lock or forfeiting civil liberties to travel. Point being: it's odd that many people don't take advantage of free and easy security measures online, but they'll go to great lengths for lackluster security measures in the real world.