Last week, SplashData, a provider of password management technology, released its annual list of the most common passwords found among the millions made public through various breaches in the last year.
I will not, in this article, enter the debate as to whether or not it is ethical, or even legal, for commercial enterprises and other private parties to analyze data lifted from breached systems. In at last some cases, the data would seem to be stolen property; the SplashData list has already received abundant media coverage, and, at this point, my commenting on lessons learned from it no longer creates a moral quagmire.
As you can see from the list below, the most commonly used passwords within the collection of over two million are quite weak--with "123456," "password," and "12345678" leading the pack; it seems that years of attempts at educating people not to choose poor passwords have been far from successful.
Interestingly, many of the passwords on the list have also appeared on the list in prior years--"123456" and "password" led the list last year as well--meaning that people have not only been using weak passwords in general for quite some time, but that they continue to use specifically the passwords most commonly used at beached sites, and which hackers are most likely to try first when attempting to crack accounts. So much for security.
It is also worthwhile to note that some of the passwords appearing on the list for the first time (e.g., "1234567890") seem to be longer versions of exceedingly poor passwords used in the past. Such a development likely indicates that either websites are attempting to improve security by requiring longer passwords while simultaneously failing to address far more serious password shortcomings, or that people have come to the erroneous conclusion that lengthening passwords automatically improves their security.
The fact that passwords like "solo" and "star wars" are now on the list is not surprising, and not indicative of strong security--hackers have known for a long time to try permutations of trending entertainment and sports themes when attempting to crack passwords.
Why do people use such poor passwords? Typically the answer that is given is that it is simply too difficult to remember many strong passwords.
But that need not be the case. There are definitely ways to create strong passwords that you can easily remember.
So, check out SplashData's list, and if you're using any of these codes on any site of importance, beware: These will likely be among the first passwords that any hacker trying to breach your account will try. It is probably also ideal not to use any of them even on an unimportant site; use something else that is easy to remember in order to reduce the likelihood of your having to deal with creating new accounts due to a breach.