The first and second placed “worst passwords of 2015” once again were “123456” and “password,” highlighting an ongoing security problem associated with using simple credentials to log-in to online accounts, according to SplashData.
Every year the password management firm trawls the web for plain text password dumps, and publishes its findings to illustrate the importance of creating strong credentials.
In 2015 it found over two million such passwords – mostly coming from hacks, breaches or leaks and linked to users in North America and Western Europe. Around 3% were represented in the Top 25.
Aside from the top two, which remained unchanged from last year, SplashData reported “12345678” in third place and “qwerty” in fourth, with “12345” rounding out the top five.
The top 25 ‘worst’ passwords list also contained easy-to-guess words such as popular sports (football, baseball), and even some new Star Wars-related credentials (solo, princess, starwars).
SplashData’s advice is to use passwords or passphrases of 12 characters of more with a mix of characters, and to avoid reusing them on different sites. A password manager is recommended to simplify the process and create random, strong credentials.
AlienVault security advocate, Javvad Malik, claimed poor password management can undermine all the good security work done by a website or app developer.
“The reason why these common passwords are so dangerous is that it gives an attacker an easy way to get into accounts,” he added. “It's similar to having a master key that you know will work on at least 10% of the houses on your street.”
Brian Spector, CEO of Miracl, argued that the industry “needs to get over passwords altogether.”
“They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks,” he added.
“However, there are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers.”