January 26, 2016 By Douglas Bonderud 3 min read

Last year, research firm Splash Data released its list of the worst passwords in 2014. All-time greats such as “123456” and “password” topped the charts, while new additions “batman” and “superman” showed just how little password hacks had impacted user preferences.

2015’s list has just been released, and guess what? The two most popular are back on top again — in fact, they remain unchanged since 2011, as reported by CSO Online.

So here’s the question: Why are users missing the message? More importantly, what’s the next step? How do companies make passwords past tense?

This Is a Joke, Right?

Nope. Consider awful password No. 6: “123456789”. Obviously a response to sites that demand more characters for greater security, this little gem is basically serving up access on a silver platter. There are also some new additions to the list: For example, “princess” sits at No. 21, “solo” at No. 23 and — wait for it — “starwars” rounds things out at No. 25.

Sure, they’re easy to remember and have fun little movie references, but these passwords aren’t really what security pros had in mind for a strong passphrase. If cybercriminals can nab login credentials in five guesses or less based on prevailing pop culture, something’s gone wrong in the password selection process.

As noted by SecurityWeek, users are trying to add some randomness and throw off attackers. Passwords like “1qaz2wsx” and “qwertyuiop” look good at first glance, but it doens’t take long to see the problem: The former is the first two columns of main keys on any standard U.S. keyboard while the latter is just the top row. SplashData put it simply: These are “simple patterns that would be easily guessable by hackers.”

Pushing Back on Password Hacks

In the last year big retailers and popular social sites have been hacked, with attackers often going after poorly hashed databases of account names and passwords. But a consistent pattern of poor password-picking means that in most cases, cybercriminals don’t need to bother — running the list of popular passwords is faster, easier and often more successful. With companies aware of this fact, sites trying to beef up security and users at risk of losing personal and financial data, why are terrible passwords still the norm rather than the exception?

Simply put: password fatigue. As noted by TechCrunch, the average user must remember more than 25 passwords to access the social media, e-commerce and company apps they use on a daily basis. Crafting a clever password for each is not only time-consuming, but invariably leads to confusion.

So when corporate IT implements a new password policy, users look for the easiest way out. Maybe it’s a string of repeating characters, a common sequence or popular phrase; whatever it takes to simplify access and effectively spite admins for making passwords even more complicated. It’s a big picture/little picture scenario: The prospect of what might happen because of password hacks isn’t enough to ease the frustration of what will happen every time users can’t remember the last password on their list.

Alternate Options

It’s not all bad news. Sure, the list of poor passwords is frightening, but it’s also a sign: Passwords are passé, and companies are now actively looking for alternatives. For example, Google is testing a service that lets users approve logins through their mobile devices and eliminates the need for passwords entirely, while companies like PayPal are backing biometric identification.

The TechCrunch piece, meanwhile, imagined a future where devices are the center of an intelligent authentication scheme: Depending on user location, access method and the type of service being requested, authentication requirements scale up or down to ensure maximum security.

Password hacks are still happening, and they’ll keep happening because users will always find ways around complex login rules to make their digital lives less complicated. 2015’s poor password list is a wake-up call: It’s time to embrace a device-driven future and make passwords past tense.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today