Hey, is Your Password on the Naughty List?

Category: Privacy

Splashdata's annual list of The Worst Passwords is out, and I hope none of your passwords is on it. To make this list, security software firm SplashData examines millions of passwords that were leaked in data breaches throughout the year, ranking passwords on their frequency of occurrence and security weakness. In other words, the passwords on this list are both commonly used and easily hacked. Find out if your password is on the list, and learn how to beef up your password security...

The Most Popular (and WORST) Passwords

SplashData's list of the 100 Worst Passwords for 2019 is actually a fun read, punctuated with some humorous graphics that underscore the reason why some passwords are particularly fool-hardy. The data comes from files of leaked and stolen passwords and user IDs, so SplashData is not telling bad guys anything they don’t already know. It’s very likely that all 100 of the Worst Passwords are among the first ones tried in simple "password spraying" attacks, where a hacker throws common passwords at a target until one of them works. These are easy pickings; if you use any of these passwords, you are far more likely to get hacked.

If you don't want to scroll through the list of all 100 terrible passwords, here are the 25 most common weak passwords for each year since 2011. For the seventh year in a row, the top Worst Password is “123456” but “password” has finally fallen out of the top two, moving to fourth place. So easy to type, “qwerty” moved up to third place for the first time.

Splashdata worst passwords of 2019

These and similar passwords epitomize the first two “don’ts” of password selection: don’t use an obvious word, or a simple pattern of keystrokes. Other popular examples include names (“charlie,” “michael”) and keyboard patterns (“111111” and “1q2w3e4r”). Names of sports teams and pop culture references (“lakers,” and “starwars”) are also lame.

Even longer combinations of letters and symbols like “password1” or “qwerty123” don’t make strong passwords, although many sites will tell you they are strong. The pattern or root word is too obvious. It's also a bad idea to reuse passwords across multiple online accounts. If one is breached, all are exposed.

You might chuckle at some of these ill-considered passwords, and wonder why you should care if "stupid people" have easily hacked online accounts. Here's why:

The people who use these lame passwords are not just harmless idiots. They are serious threats to the security of the entire Internet. Any compromised, connected computer or online account can and will be used to spread spam, malware, and other mischief to thousands of others. It’s tempting to think of the idiots’ own suffering (ID theft, financial fraud, data loss, etc.) as karma. But instead, let's take pity and share some information about how to avoid those perils.

Use a Password Manager to Generate, Save and Recall Your Login Credentials

There is absolutely no excuse for weak passwords anymore. Password manager software such as Roboform, Lastpass, KeePass, and Dashlane take the work out of creating and using long, strong passwords. Most of them provide a way to sync your passwords across multiple devices. Dashlane even has a feature that will change the passwords on multiple sites with just a few keystrokes; it’s good practice to change passwords on a regular basis.

I am liking Google Chrome’s recent upgrades to its (free) built-in password manager. When registering at a new site, Chrome can suggest a long, strong password; one click, and it is applied to your new account. If the sync feature is turned on in Chrome, your passwords are saved to your Google Account. Otherwise, your passwords are only stored on Chrome on your computer. Chrome will alert you if you use a password and username combination known to be compromised in a data breach. You can learn more about Google password management here.

Roboform, Dashlane, Lastpass and Chrome can all store your passwords in the cloud, with strong encryption, to enable access to your saved credentials from any computer or mobile device. If you recoil at the thought of storing all your passwords in cloud storage, consider KeePass. Unlike purely cloud-based password managers, KeePass will store your encrypted password vault where you tell it to. That could be on a local hard drive, a USB flash drive, or even in the cloud if you need to sync across desktop and mobile. Keepass is free, but not as user friendly and full-featured as the paid options I listed above.

Every now and then, you should review your saved passwords to see if there are any online accounts you no longer use. Go to the site(s) and delete or close such inactive accounts. The fewer opportunities to hack you, the better.

How do you handle passwords? Don’t give away any family secrets, but I would like to know in general how you create and manage your passwords; feel free to share ideas in the comments below.

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 24 Jan 2020

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 23 January 2020

The Top Twenty
Next Article:
Help, My Friends Think I'm a Spammer

Most recent comments on "Hey, is Your Password on the Naughty List?"

Posted by:

24 Jan 2020

I have used Lastpass for years, I also keep a list of passwords on paper so if it does go down (which it has recently) I am not out luck

Posted by:

24 Jan 2020

I use Roboform, which does the job for me.

I also have a backup list of some of my most important passwords that I have stored on my Google Drive account.

Posted by:

24 Jan 2020

Dashline: I used the Free version of Dashline for several years. Sometime last year, or possibly in 2018, it started having trouble working, and then stopped completely. No messages, no warnings. I finally Uninstalled it this week.

Chrome's Pwd Mgr: I don't know when they started this, but when it did, it stopped remembering the pwd for my main (of 2) gmail account pwds. Then it stopped remembering my main account itself. It used to prompt for login to my main account, and have both accounts available as a drop-down; now it only remembers my 2nd account and the main one isn't even listed. I think Google also broke Dashline, as these things all happened too close together to be coincidence. Chrome Pwd Mgr also would not allow me to ADD my main account back on their list of pwds. Ugh!

Posted by:

John C
24 Jan 2020

I'm leery of password vaults. There's also a risk of not being able to access the passwords at all and being locked out of sites. Last Pass recently had an outage as reported in the Register.


Posted by:

Hugh Gautier
24 Jan 2020

It's a good thing that those supposed passwords were so easy using multiple letters or numbers. Now, let's go backwards a few years thinking toward the forties and fifties.
Think of products that didn't have duplications of letters and that can be made into a password that you ought to be able to remember. If you can't then write it down, DO NOT put it on a Post-it Note on your computer, you are just advertising how dumb you are.
I use words from that period and some from the Revolutionary War, especially ships. Don't be afraid of putting numbers, Cap letters and symbols in your password.
DON'T use your favorite pet's name because it is something that you bring up all of the time as well it would be an obvious password. DON'T USE SIMPLE words.
Old movies had some good words in them, but there is a drawback to using movie words in that they are reused again and again.
Supercalifragilisticexpealleydocious while it is long, there are too many letters being duplicated. Well, you should have seen the Vets office trying to put that name on her license documentation. Even though I had the name reduced to #4 type font so that they could copy and paste onto the license. They didn't know how to do that. Now you know a little bit about how I think.

Posted by:

24 Jan 2020

Some netizens may not consider that keeping all their eggs [errrr... passwords, privacy] in one single basket is a ginormous security faux-pas. These types may also not question that fully trusting one single company, already possessing plenty of their personal meta-data (the whole shebang), with all of their passwords. This 300-pound gorilla may secure such meta-data in the most secured servers currently in existence, until it is found that their systems have been breached/hacked or otherwise $old to the highe$t bidder.
Using complex passwords is a great recommendation; short of 2FA, etc. However, complex passwords just are not conducive to teeny-weeny virtual keyboards in our portable devices.
Thus, the question becomes: How much of our private-data (and security) are we willing to relinquish for the sake of convenience? Each one of us has to personally (and honestly) answer that question, but stating the obvious “I have nothing to hide!” excuse should never be the supporting rationale.
I personally use my trusted Keepass (500 unique entries) and try my best not to be confronted by primates heavier than myself. Mathew 5.5 and FrankZappa must have had me in mind, because I am one of “the meek (who) shall inherit the earth” when all netizens have moved-on up to some cloud!

Posted by:

24 Jan 2020

I've been using Blur by Abine for years, it works across all platforms, Windows, Mac and all Apple mobile products, it syncs across those systems too. It works in any browser and you can craft unique, strong, customized passwords on any site, including those that don't allow you to - that insist on one doing it on their page, I can just open Blur, go to a spot in it that allows the creation of customized passwords of any length I choose. Then later I'll edit that with the credentials of the new site. It has yet to fail me. It's not as "popular" as the big names so is not a target. Their customer service is almost as good as Apple's which is the best on the planet. Nothing not to like.

Posted by:

Michael Hampshire
24 Jan 2020

I have used Dashlane since you suggested it a few issues ago. Love it. let it change and suggest passwords. pleasantly surprised the first time I went to a site on my phone and the strong pass auto filled in.

Posted by:

24 Jan 2020

I use the first letters of phrases, with some special characters and numbers thrown in.

LastPass is great, but remember that they can't help you if you forget the master password for LastPass. They don't know it.

Posted by:

Dave White
24 Jan 2020

You mention Splashdata at the beginning, and then never again! I have been using their password manager for years and it's excellent. I suggest you add SplashID to your list of recommendations!

Posted by:

24 Jan 2020

I have a plaintext list of prompts for over 150 passwords and a secret method of recovering a password according to its prompt. If I tell you any more than that, I'll have to kiII you. Yes, all of you.

It's getting a bit unwieldy so I'm considering using a manager. The free versions of LastPass and Dashlane are good for up to 50 passwords so I think it's going to be KeePass.

Posted by:

25 Jan 2020

Hmmm, seems to me the biggest risk is not weak passwords, it is data breaches (millions of passwords that were leaked in data breaches throughout the year). The strongest password imaginable is no match for a data breach. Two factor authentication surely helps here.

A quick question. For users of desktop machines, I wonder if a site that uses two factor authentication, but let's you skip it if you are using a known machine is a decent balance between security and convenience?

Posted by:

ED Brown
25 Jan 2020

For Password security I will often use foreign words or miss-spell some English words.

Posted by:

25 Jan 2020

I use an internet address and password log book.
It is alphabetical. And I change my passwords
periodically. They are usually with small &
capital letters, numbers and symbols and are
usually 10 to 12 long.
So far, so good...

Posted by:

25 Jan 2020

All my passwords are printed in an excel spreadsheet and also stored on a non-internet connected computer..

Posted by:

Stephe Ellis
25 Jan 2020

Glad to see, Bob, that you are, at last, giving KeePass some credit (even if you do feel obliged to add that it's "not as user friendly and full-featured as the paid options")...

It's hardly rocket-science! It's free, completely secure, allows any number of back-ups, works across platforms, isn't reliant on one site, so never 'goes down', and did I mention it's *free*?

I recommend it unreservedly to anybody. I have 57 passwords (I just counted), each one unique, long, random and complex — I couldn't remember any of them — but I have multiple secure copies and can log-in to any website with (usually) two clicks of my mouse.

Additionally, when I die, I have left instructions how to piece together my master password, from a few bits of information (old car number-plates, phone-numbers, etc.,) enabling my family, between them, to gain access to all my online accounts.

Posted by:

25 Jan 2020

I'm uncomfortable storing passwords electronically. I found a paper solution; the "Internet Password Logbook" made by Piccadilly Inc. that is sold online and in many office supply stores. It has alphabet tabs and 3 entry forms per page to list, the site name, url, username, password and a couple of lines for notes.

Also recommended is to use the "Buy Bob a Snickers" link on this page to reward him for his helpful work for us. The sugar in the candy bar will hopefully give him the energy to sort through all the info he uses to make his posts. If you really like his work, and are well-heeled, you can buy him more valuable things on up to a Tesla!

Posted by:

26 Jan 2020

I don't do mobile, so I can use long ones, like species names of animals and plants along with a number, like an old address, e.g., Myotis315lucifugus. Even better is an old name no longer used. I'll also use old locations and years, such as nev1972Rawhide.
I keep a paper copy locked nearby of the common ones, and a designated thumb drive with all of them (and a backup). When I travel, the thumb drive is always carried separately from the laptop.

Posted by:

26 Jan 2020

Here is my concern about password managers: Should the program get hacked or the main password hacked, then all my passwords become available. Am I being overly paranoid? So, instead, I store my passwords on a spreadsheet which is encrypted and stored on a flashdrive(s). As I add new sites and passwords, I can conveniently and easily alphabetize the listing for easy reference.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Hey, is Your Password on the Naughty List? (Posted: 24 Jan 2020)
Source: https://askbobrankin.com/hey_is_your_password_on_the_naughty_list.html
Copyright © 2005 - Bob Rankin - All Rights Reserved