January 26, 2016 By Douglas Bonderud 3 min read

Last year, research firm Splash Data released its list of the worst passwords in 2014. All-time greats such as “123456” and “password” topped the charts, while new additions “batman” and “superman” showed just how little password hacks had impacted user preferences.

2015’s list has just been released, and guess what? The two most popular are back on top again — in fact, they remain unchanged since 2011, as reported by CSO Online.

So here’s the question: Why are users missing the message? More importantly, what’s the next step? How do companies make passwords past tense?

This Is a Joke, Right?

Nope. Consider awful password No. 6: “123456789”. Obviously a response to sites that demand more characters for greater security, this little gem is basically serving up access on a silver platter. There are also some new additions to the list: For example, “princess” sits at No. 21, “solo” at No. 23 and — wait for it — “starwars” rounds things out at No. 25.

Sure, they’re easy to remember and have fun little movie references, but these passwords aren’t really what security pros had in mind for a strong passphrase. If cybercriminals can nab login credentials in five guesses or less based on prevailing pop culture, something’s gone wrong in the password selection process.

As noted by SecurityWeek, users are trying to add some randomness and throw off attackers. Passwords like “1qaz2wsx” and “qwertyuiop” look good at first glance, but it doens’t take long to see the problem: The former is the first two columns of main keys on any standard U.S. keyboard while the latter is just the top row. SplashData put it simply: These are “simple patterns that would be easily guessable by hackers.”

Pushing Back on Password Hacks

In the last year big retailers and popular social sites have been hacked, with attackers often going after poorly hashed databases of account names and passwords. But a consistent pattern of poor password-picking means that in most cases, cybercriminals don’t need to bother — running the list of popular passwords is faster, easier and often more successful. With companies aware of this fact, sites trying to beef up security and users at risk of losing personal and financial data, why are terrible passwords still the norm rather than the exception?

Simply put: password fatigue. As noted by TechCrunch, the average user must remember more than 25 passwords to access the social media, e-commerce and company apps they use on a daily basis. Crafting a clever password for each is not only time-consuming, but invariably leads to confusion.

So when corporate IT implements a new password policy, users look for the easiest way out. Maybe it’s a string of repeating characters, a common sequence or popular phrase; whatever it takes to simplify access and effectively spite admins for making passwords even more complicated. It’s a big picture/little picture scenario: The prospect of what might happen because of password hacks isn’t enough to ease the frustration of what will happen every time users can’t remember the last password on their list.

Alternate Options

It’s not all bad news. Sure, the list of poor passwords is frightening, but it’s also a sign: Passwords are passé, and companies are now actively looking for alternatives. For example, Google is testing a service that lets users approve logins through their mobile devices and eliminates the need for passwords entirely, while companies like PayPal are backing biometric identification.

The TechCrunch piece, meanwhile, imagined a future where devices are the center of an intelligent authentication scheme: Depending on user location, access method and the type of service being requested, authentication requirements scale up or down to ensure maximum security.

Password hacks are still happening, and they’ll keep happening because users will always find ways around complex login rules to make their digital lives less complicated. 2015’s poor password list is a wake-up call: It’s time to embrace a device-driven future and make passwords past tense.

More from

AI decision-making: Where do businesses draw the line?

4 min read - "A computer can never be held accountable, therefore a computer must never make a management decision."- IBM Training Manual, 1979Artificial intelligence (AI) adoption is on the rise. According to the IBM Global AI Adoption Index 2023, 42% of enterprises have actively deployed AI, and 40% are experimenting with the technology. Of those using or exploring AI, 59% have accelerated their investments and rollouts over the past two years. The result is an uptick in AI decision-making that leverages intelligent tools…

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today