Millions of Net surfers use obvious passwords to log on to websites, but their numbers appear to be declining.
SplashData on Tuesday published its annual list of the top 25 most common — thus worst — passwords leaked online. In the top spot was “123456,” followed by “password” and “12345.”
Both “123456” and “password” claimed the top spots in 2013, too, but “12345” was in the No. 17 spot last year.
In addition to consecutive numbers, lazy password creators used obvious letter combinations. “Qwerty” was No. 5 on the list. Superheroes also ranked — “superman” placed 21st and “batman,” 24th. Sports were popular too — “baseball” was listed at No. 8 and football at No.10.
“Sports teams, sports names, people’s names, pets’ names — those are always popular passwords, which is why they should be avoided,” SplashData CEO Morgan Slain told the E-Commerce Times.
Silver Lining
While the security community may be disheartened by the SplashData findings, there may be a silver lining.
“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” said security expert Mark Burnett, who collaborated on the list.
“The good news is that it appears that more people are moving away from using these passwords,” he observed.
“In 2014, the top 25 passwords represented about 2.2 percent of passwords exposed,” Burnett noted. “While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”
In the past three years, the top 25 common passwords have been around 4 percent of the exposed passwords gathered by SplashData, CEO Slain said, but on other lists compiled by researchers, the common passwords have reached as high as 25 percent of the passwords studied.
SplashData compiled its top 25 worst list from some 3.3 million passwords posted to the Internet by website hackers. That may influence the strength of the passwords in the sample.
“These sites probably don’t have the best policies for forcing people to choose secure passwords,” Slain explained. “That’s why you end up with passwords like ‘12345,’ which most secure sites would not allow.”
Convenience Trumps Security
In addition, there’s no way to determine from the passwords gathered by SplashData how many times a popular password like “123456” was used as a throwaway password — a password used to access a website that a user intends to visit infrequently and won’t be giving any sensitive information.
“A lot of people use throwaway passwords, but where that becomes an issue is when people use those same passwords for their more sensitive logins,” Rob Dinuzzo, a marketing manager at Siber Systems, told the E-Commerce Times.
Why do so many people use and reuse simple passwords online despite warnings not to do so?
“Many times it’s for convenience,” said Becky Frost, senior manager for consumer education at ProtectMyID.
“People will forego security for convenience,” she told the E-Commerce Times.
On the other hand, if fewer websites demanded passwords, it could make it more convenient to create and remember passwords for websites that really needed them. That’s unlikely to happen, however.
“You see more and more websites do it, because they’re trying to gather information about their users so they can sell that information to advertisers,” Abine CEO Rob Shavell told the E-Commerce Times.
“Even though from a user’s view there’s no need for a website to require a username and password, the website needs it because it’s trying to make more money from the attention the user gives the website,” he explained.
Passwords as Cockroaches
Lists like the one compiled by SplashData would be unnecessary if the need for passwords were to disappear — something that’s been predicted for years.
“In the long run, you will find new technologies replacing the password, including biometric identification, but that process is going to take longer than people assume it will,” SplashData’s Slain said. “The password is so ubiquitous now it’s going to take time to replace it with new technology.”
Others find the password’s position in security more permanent.
“I think passwords are here to stay. All the futuristic technologies have big problems associated with them,” said Abine’s Shavell.
“The best solution to the problem is already here — not in the future. It’s called a ‘password manager,'” he maintained.
“Passwords, like cockroaches, will likely always be with us,” Open Identity Exchange Chairman Don Thibeau told the E-Commerce Times — “ugly, useless and undermining our privacy and security.”
>> "Passwords, like cockroaches, will likely always be with us," Open Identity Exchange Chairman Don Thibeau told the E-Commerce Times — "ugly, useless and undermining our privacy and security."
This guy not so bright. Passwords are not ugly. You want to talk about "the future" like biometrics? That’s the dumbest possible road to go down. If somebody gets your password, you can change it. If somebody gets your fingerprint, you can’t change that…
Let us remember that Apple’s TouchID was circumvented on the FIRST day of the iPhone 5S release. In the words of the whitehat group that first bypassed TouchID, "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token."