For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.
While having "123456" as your password is quite bad, the other terms found on a list of Top 100 Worst Passwords of 2017 are just as distressing and regretful.
Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).
But, by far, the list was dominated by names, with the likes of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95), and Martin (#96), showing up on the list.
List compiled from five million leaked credentials
The list was put together by SplashData, a company that provides various password management utilities such as TeamsID and Gpass. The company said it compiled the list by analyzing over five million user records leaked online in 2017 and that also contained password information.
"Use of any of the passwords on this list would put users at grave risk for identity theft," said a SplashData spokesperson in a press release that accompanied a two-page PDF document containing a list of the most encountered passwords.
This is because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as "dictionaries" for carrying out account brute-force attacks.
Attackers will use the leaked terms, but they'll also create common variations on these words using simple algorithms. This means that by adding "1" or any other character combinations at the start or end of basic terms, users aren't improving the security of their password."
Advising users on best password policies is simply stepping them through a good online training session like Creating Strong Passwords, and above all, staying away from the terms below.
1 - 123456 (rank unchanged since 2016 list)
2 - password (unchanged)
3 - 12345678 (up 1)
4 - qwerty (Up 2)
5 - 12345 (Down 2)
6 - 123456789 (New)
7 - letmein (New)
8 - 1234567 (Unchanged)
9 - football (Down 4)
10 - iloveyou (New)
11 - admin (Up 4)
12 - welcome (Unchanged)
13 - monkey (New)
14 - login (Down 3)
15 - abc123 (Down 1)
16 - starwars (New)
17 - 123123 (New)
18 - dragon (Up 1)
19 - passw0rd (Down 1)
20 - master (Up 1)
21 - hello (New)
22 - freedom (New)
23 - whatever (New)
24 - qazwsx (New)
25 - trustno1 (New)
How weak are *your* user’s passwords?
Are your user’s passwords…P@ssw0rd? Bad guys are constantly coming out with new ways to hack your network while evading detection.
Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks.
Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.
KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.
WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. This tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.
Here's how the Weak Password Test works:
Reports on the accounts that are affected
Tests against 10 types of weak password related threats
Does not show/report on the actual passwords of accounts
Just download the install and run it
Results in a few minutes!
This will take you 5 minutes and may give you some insights you never expected!
Requirements: Active Directory, Windows 7 or higher (32 or 64bit)
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://www.knowbe4.com/weak-password-test
(Cross-posted with grateful acknowledgement to Bleepingcomputer)