When it comes to password hygiene, many of us are still ignoring the basics.
Password management specialist, SplashData has released its eighth ‘Worst Passwords of the Year’ list: a roundup of the most commonly used and easily guessable passwords. The list is based on an evaluation of more than 5 million passwords leaked on the internet (passwords relating to hacks of adult sites are not included!).
It’s estimated that 10 percent of internet users are guilty of using at least one of the top 25 most popular passwords. 3 percent of people use the very worst password: ‘123456’.
Extremely lazy numerical and keyboard patterns feature heavily in the list (e.g. ‘qwerty’ and ‘abc123’). Obvious phrases are popular too; prominent examples of this include ‘password’ and ‘iloveyou’.
Celebrity names have always been a popular go-to source of passwords for many hapless users. Combine this with a little bit of social profiling and you’ve got a problem: (tip: LionelMessi10 is never a good choice; doubly so if your Facebook page is full of Barca-related posts). Along these lines, the US President will doubtless be flattered by this year’s most noteworthy new entry on the list: it seems that ‘donald’ is currently the 23rd most popular password.
The top 25 worst passwords
Here’s the 2018 list (with changes from the previous year’s list)...
1. 123456 (Unchanged)
2. password (Unchanged)
3. 123456789 (Up 3)
4. 12345678 (Down 1)
5. 12345 (Unchanged)
6. 111111 (New)
7. 1234567 (Up 1)
8. sunshine (New)
9. qwerty (Down 5)
10. iloveyou (Unchanged)
11. princess (New)
12. admin (Down 1)
13. welcome (Down 1)
14. 666666 (New)
15. abc123 (Unchanged)
16. football (Down 7)
17. 123123 (Unchanged)
18. monkey (Down 5)
19. 654321 (New)
20. !@#$%^&* (New)
21. charlie (New)
22. aa123456 (New)
23. donald (New)
24. password1 (New)
25. qwert123 (New)
How a bad password leaves you exposed
The whole point of a password is to put in place a barrier between a hacker and the network, system, device, program or account you want to protect. So the more obvious the password, the weaker that barrier. Here’s a closer look at how you’re exposed…
Beware brute force attacks...
When it comes to system infiltration, you are not simply dealing with an intruder manually trying out different password combinations. You are far more likely to encounter a brute force hacking attempt. With this type of attack, the hacker uses a cracking tool to work through various combinations of usernames and passwords until a combination is found.
There are several common flavours of brute force attack (all of which are made a lot easier where the type of password listed above is used!):
- Dictionary attack. The hacker works through a long list of possible passwords and tries them all. You can filter this quite substantially by making certain assumptions about the type of user you are targeting.
- Credential recycling. The attacker gets hold of intel on passwords and usernames from other breaches and uses this data as a basis for a fresh attack of their own. It can often yield results because so many of us are guilty of recycling login details for multiple accounts.
- Reverse brute force attack. Let’s say that the hacker wants to infiltrate a big company. Of all the users on the network, they take a bet that at least a few of the network users will be dumb or lazy enough to have the likes of ‘123456’ as their password. Drawing from information from the likes of LinkedIn, they attempt to match possible usernames to this popular password.
Time for a password hygiene check?
Obviously, you would never use a ‘qwerty’ type password – and neither would you forget to swap out the factory default logins on your devices and peripherals. But one of the biggest challenges of working in cybersecurity involves policing the behaviour of other users. Ensuring good password hygiene is a big part of this.
Here are some tips for getting it right…
Have a clear policy in place
Typically, this might include the following:
Length and characters. We recommend passphrases of 12 mixed type characters. (It takes less than a second to crack ‘123456’; in theory, it takes years to cold crack a 12-character mixed phrase).
An example of a very strong passphrase is "You miss 100% of the shots you don’t take." With a Massive Cracking Array (Assuming one hundred trillion guesses per second) it would take 3.73 hundred billion trillion trillion trillion trillion centuries to crack.Uniqueness. Where users duplicate identical passwords for multiple tools, a single hack could provide a way into multiple systems. Insist on a different password for each log-in.
Safe password management. Leave it to non-technical users to set their own passwords, and there’s always ‘that guy’ who will lapse into using the type of guessable patterns that dominate the SplashData list. With a password manager tool, you can generate secure random passphrases – and organise & store them securely at admin level.
Recommended password managers include;
- LastPass - Most functionality with browser integration but highest attack surface.
- KeePass, KeePassX, KeePassXC - Moderate Functionality and moderate attack surface. (What's the difference between KeePass, KeePassX and KeePassXC?)
- Master Password App - Least functionality and lowest attacker surface.
Fit-for-purpose authentication: time to look beyond the password...
Let’s say one of your network users is tricked into disclosing a password via a phishing attempt; your assets are exposed no matter how ‘strong’ the password happens to be. Alternatively, let’s say you are hit by a brute force attack; in which case, If the password is poorly hashed, sooner or later, the password is going to be cracked…
You cannot rely solely on passwords to keep your assets safe.
For one thing, you should be looking at the type of security information and event management (SIEM) tools that can alert you of the fact that someone somewhere may be attempting to pick your locks - i.e. successful and failed logins from unfamiliar endpoints.
Where appropriate, you should also be looking at fitting a double lock on the systems under your watch. We’re talking here about two-factor authentication (2FA); incorporating a second step in the login process such as a soft token like a Time-based One-time Password algorithm such that is offered by Google Authenticator, a hardware token, a biometric check or even a SQRL.
Want to find out more about how to get authentication right? Here’s your next step...
The Complete Cyber Security Course (See Volume 2 on authentication)
Level Up in Cyber Security: Join Our Membership Today!
Hi Nathan
Thank you for your interesting and important information. In terms of password managers, what are you thoughts on 1Password? I first came across this from reading Troy Hunt late last year as a result of first learning about “Have I Been Pwned?” and it’s the first one I’ve ever experienced. Am wondering how it stacks up.
cheers
Donna
1Password is fine I prefer just LastPass.
What about the Mac OS/safari password manager?
The other options are better in my opinion. LastPass has much more functionality. I also recommend Firefox as a browser if you care about privacy and security.
Would you recommend Opera as well?
As a browser!? No. Firefox with ad ons like ublock origin.
Hi Nathan, What are your thoughts on Brave browser? I have been using it for a few weeks now and seems quite good so far.
I like the idea of it. But its still new. I’d like to see more eyes on it. In the past, we have had “secure” browsers with security holes. I like Firefox with extensions like ublock origin.
But since 1Password isn’t open source isn’t that a concern? I thought you mentioned that in your video course as a reason not to use certain apps.
I prefer open source myself yes. Sometimes you don’t have a choice. I like LastPass.
Very good. ? I actually seen an advertisement on telle some VPN company trying to reach non tech masses is funny they are showing how easy it is to create a login and their password example is john123 ?
lol
I was surprised to see my password on the list :(
I seem to recall reading somewhere that even password managers could be hacked? Any thoughts on this?
There is no such things as 100% security. Yes its possible to “hack” password managers especially if they are browser extentions. But its not simple. Using keyloggers to capture the master password is vaiable. But using password managers is less risky than using poor passwords over many sites.
People encrypted passwords made simple. This is a one page training session that has helped hundreds of users.
Remembering passwords are complex, but they don’t have to be.
Example website and password:
amazon.com – login llopez@miletechnologies.com – password I like to use mydoggie
bankofamerica.com – login louislopez67 – password I like to use mydoggie
Let’s make them people encrypted.
For Amazon: login llopez@miletechnologies.com make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I like to use. The end of the password I will make up as 1234!.
When written, I write this in an Excel spreadsheet or black password book.
website login name password
Amazon.com llopez@miletechnologies.com AMAx1234!
See the little “x” in the password. That is the people part of the encryption. It is not written down anywhere. It’s in my head. The real actual password is AMAmydoggie1234!. If someone finds the excel spreadsheet, it means nothing to the person. If this is in a blackbook and written as AMAx1234!, then that means nothing. The real actual password is not written in its full form anywhere. If an untrusted person should see this password, they will try to login as llopez@miletechnologies.com with a password of AMAx1234! and it will not work.
Let’s do another one.
For Bank of America: login llopez@miletechnologies.com make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I like to use. The end of the password I will make up as 1234!.
When written, I add this to my Excel spreadsheet or black password book.
website login name password
Bankofamerica.com louislopez67 BANx1234!
See how easy that is. You don’t have to use the first three characters of the company. You could use the first character of each part of the company name like BOA for Bank Of America.
Let’s do one more to make sure you get it.
For FakeWebsite.com: login llopez@miletechnologies.com make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I DONT CARE ABOUT. The end of the password I will make up as 1234!.
When written, I add this to my Excel spreadsheet or black password book.
website login name password
fakewebsite.com llopez@miletechnologies.com FAKy1234!
Hey. Wait a minute. What is that “y” I used instead of “x”. Well the reason is because I use an x that means mydoggie for all of my most important financial websites and my main email account related to those financial websites. The “y” is going to be untrusted. Literally “untrusted”. So, the actual password for untrusted websites, I will substitute the letter y in place of the secret. The real password here is FAKuntrusted1234!. Again, in my spreadsheet or black password book, I put FAKy1234!.
Remember your main recovery email for all financial/bank websites is equally important as the financial site itself.
If you change your password, simply change the last 4 numbers at the end and update your excel spreadsheet or black password book.
Sincerely,
cyanohydrax
Use a password manager!
1 ring to rule them all? Passwordmanagers and complex generated passwords create postits. Security is not about passwords, but about people. I strongly advise against pwmanagers. If they get that db you are screwed. Also the cloudbased pw managers are a big leap of faith imho.
You think the alternative of using weak and reused passwords is a solution!?
Use password managers people, use 2FA. Use SQRL when it’s released.
How about a super weak password like 1234 and like what Nathan House stated 2FA Google Authenticator or Two factor authentication cell phone. The two factor eliminates hacked databases. If the two factor is not an option. Don’t store any password in any browser. Don’t store passwords in password managers. Don’t write down any password without a human encryption. ABCx1234! is the password you write down. ABCchicken1234! is the actual password. remember the chicken is the “x” and that’s never written down as chicken. Confusing, I know. If your black book was physical or stored in an Excel document, ABCx1234! means nothing to anyone but you. Probably use whatever word you want instead of chicken because of this written article. – Cyanohydrax
Yes, using the same password everywhere, really, increases the risk of your account being compromised.