Is Your Password on the Naughty List?

Category: Security

It’s that time of year when we look back on our mistakes and vow not to continue making them in the new year. Using weak passwords, and using passwords incorrectly, is a perennial shortcoming that afflicts millions. Here is one software company’s list of the worst passwords seen in 2017, and my tips for improving password security…

Worst Passwords of 2017 (is yours on the list?)

The list of the worst passwords was compiled by SplashData, a producer of password management software. By “worst,” the company means the passwords most commonly found in a database of 5 million hacked accounts. Are you using any of them?

If so, hackers will break down YOUR doors first. They collect hundreds of millions of passwords, trade them, analyze them, and develop malware that can attack millions of accounts per second, starting with the passwords that are most likely to succeed. If the first try doesn’t work, software tries again. If the attacker is locked out after X failed attempts, he’ll get back to you when the lockout period expires. Patience and prodigious processing power win eventually.

The list below is SplashData’s top 25 worst (that is, most hacked) passwords. Some losers moved up the list from 2016, others dropped down. Some appear and disappear with shifts in pop culture or sports teams fortunes.

Worst passwords of 2017

1 - 123456 (unchanged) 2 - password (unchanged)
3 - 12345678 (up 1) 4 - qwerty (up 2)
5 - 12345 (down 2) 6 - 123456789 (new)
7 - letmein (new) 8 - 1234567 (Unchanged)
9 - football (down 4) 10 - iloveyou (new)
11 - admin (up 4) 12 - welcome (unchanged)
13 - monkey (new) 14 - login (down 3)
15 - abc123 (down 1) 16 - starwars (new)
17 - 123123 (new) 18 - dragon (up 1)
19 - passw0rd (down 1) 20 - master (up 1)
21 - hello (new) 22 - freedom (new)
23 - whatever (new) 24 - qazwsx (new)
25 - trustno1 (new)

"Hey Captain Phasma, I got your password right here!"

This is not the first appearance of “starwars” among the top 25. It appeared in the 2015 list at number 25. With the 2017 release of “Star Wars: The Last Jedi,” the password “starwars” has soared to number 16 on the list. It was inevitable, given human nature. Hackers can predict human behavior with a very high degree of accuracy.

“123456789” and shorter versions comprise 50% of the top 10 on this list. The popularity of this crude password formula implies that many online systems still do not impose any rules at all for acceptable passwords! Of course, we must keep in mind that the list comes from a database of accounts that were hacked, so the crudest passwords would naturally be the most common ones in that database.

SplashData’s top 100 bad passwords are available in PDF format. Some are vulgar. Many are common names like “Michelle,” “Jordan,” “William,” etc. Sports-themed passwords are common and easily guessed; “hockey” is no better than “football.” I wonder what happened in “1992” that makes that year number 90 on the list.

In my article, Here’s Why Your Password is Hackable, I discuss what’s wrong with most password rules set by system administrators. Basically, the rules further restrict the universe of potential passwords that hackers must try, making their wicked work easier. I also mentioned “researchers at Carnegie-Mellon University:”

The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:

• At least 12 characters per password
• Capitalized and special characters in the middle of the password, not at ends
• No names associated with pets or sports teams
• No song lyrics
• Avoid the word “love” in any language
• Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)

The Benjamin Franklin Method

In the past year, data breaches have exposed millions of usernames, passwords and other personal data that can be used to hack into online accounts. So now is a REALLY good time to change your passwords, and to make sure they are secure enough.
You should also be aware that using the same login and password for all your online accounts is a bad idea. If just one of them is compromised, you've handed over the keys to your kingdom. Imagine the damage that someone could do if they had the login credentials for your email, your Facebook account, and your online banking. Now think how much worse it could get if they also had the keys to your online backup, where all your personal files are stashed away.

I do recommend using a password manager wherever possible. Password managers such as RoboForm, Dashlane, or LastPass can generate strong, unique passwords and keep track of them for you.

If you'd rather use your little grey cells instead of password management software, here's a tip. The best do-it-yourself password may be a sentence that is easily recalled; a favorite proverb, for instance, such as, “AStitchInTimeSaves9”. In an earlier article on password security, I suggested taking a sentence from an old book, such as "The Autobiography of Benjamin Franklin."

But please, don’t use “Iforgotmypassword!” Hackers are onto that one. Have you been hacked because of a weak password? What's your password strategy? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 26 Dec 2017

For Fun: Buy Bob a Snickers.

Prev Article:
[TIPS] Buying a Computer Monitor

The Top Twenty
Next Article:
Geekly Update - 27 December 2017

Most recent comments on "Is Your Password on the Naughty List?"

Posted by:

Bob Lane
26 Dec 2017

Happy New Year. Thanks for the useful information.

Posted by:

Hal Wrobel
26 Dec 2017

I use two password strategies:
1- An old phone number, e.g. telephone number of my uncle's shop when I was 11 years old.
2- Two related historical events and/or names (using upper and lower case), with a related number between them, e.g. Napoleon1812Waterloo.

Posted by:

26 Dec 2017

Although Mr. Rankin's subject matter was about passwords; I notice that your recommendation is "installing popular free or paid antivirus software".
I am hoping that the next installation of Mr. Rankin's great blog for Anti-Virus protection will provide a worthy mention of the Windows10's built-in "Microsoft Windows Defender Security Center", without essential requirement to pay for and/or install additional AV protection...

Posted by:

26 Dec 2017

As part of my digital citizenship unit for 6th graders I suggest a simple sentence that uses special characters. My example (which I never actually use, of course)is "I like to skate at eight" = iLk2sk8@8.

They have fun composing theirs in this fashion.

Posted by:

26 Dec 2017

I recently installed Roboform. It works reasonably well. A couple of clicks less than my password protected Excel spreadsheet!
However, as I used it, I began to think about how it works. It is online. It is, unlike my Excel spreadsheet, out of my local control. This means it could be hackable. While I like the password generation, I could do that.
Now in two minds!

Endnote, Is sharing password techniques going to make them more hackable?

Posted by:

26 Dec 2017

I took your advice to heart several weeks ago and signed up with a company that offered strong p/w 24/7. All went well until US Post Office website. No matter what p/w the onsite for hire chose it just didn't fit the criteria of USPS. After try #6 to no avail I had to give up using this service. True, hackers can make life miserable if they got some of my data but I wonder if data life isn't much less miserable getting in the USPS realm (as well as others) the first time around rather than never because of ill conceived counter cyber-nonsense.

Posted by:

26 Dec 2017

If I want a password I can remember what I do is use something like my father's phone number and hit the shift key every other time. For example dad1234567890 becomes DaD1@3$5^7*9)

Posted by:

26 Dec 2017

I've become annoyed when systems require strong passwords that don't really need them. I use strong passwords on my credit cards, bank accounts, and the like, but do you really need a strong password on your account to read the local newspaper or to log into your Pluto TV (free) account? I encountered my first such unnecessary strong password about 10 years ago on my public library card account. What were they worried about, that someone was going to break in an renew my books for me?

Posted by:

Max Corrigan
27 Dec 2017

"The list of the wost password" a slight lighthearted reminder Bob of your instructions to the right of this comments box!

Posted by:

28 Dec 2017

Again you mention RoboForm, Dashlane and LastPass, but fail to also mention KeyPass (or any of its variants) which is both free and open-source. Is there a reason for this, Bob?
Given the many recommendations that it has received, from myself and others, in comments following your earlier articles about password managers, I would have thought you would include it in your list. The others may offer 'bells and whistles' that KeePass lacks, but *free* and particularly *open-source* are very good reasons in favor of its consideration.

Posted by:

J Kendzi
03 Jan 2018

I use KeePass and have for several years. Works on my win10, android and linux machines. I keep my encrypted database file in Dropbox and all devices down/upload to that via https and of course, Dropbox is encryted also. DB file is under my control and available at all times. Whenever I change an entry on any device, the database on Dropbox is updated and my other devices download the updated version when I open the app. Set the DB file to be available offline and even when you don't have a connection, KeePass will work. Enjoy!

Posted by:

10 Jan 2018

With all this concern about password strength, why doesn't every entity have a '3 tries and you're out' policy? Even a weak 5 character password, e.g., would be hard/impossible to crack in just 3 tries.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.

Article information: AskBobRankin -- Is Your Password on the Naughty List? (Posted: 26 Dec 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved