Last year, research firm Splash Data released its list of the worst passwords in 2014. All-time greats such as “123456” and “password” topped the charts, while new additions “batman” and “superman” showed just how little password hacks had impacted user preferences.

2015’s list has just been released, and guess what? The two most popular are back on top again — in fact, they remain unchanged since 2011, as reported by CSO Online.

So here’s the question: Why are users missing the message? More importantly, what’s the next step? How do companies make passwords past tense?

This Is a Joke, Right?

Nope. Consider awful password No. 6: “123456789”. Obviously a response to sites that demand more characters for greater security, this little gem is basically serving up access on a silver platter. There are also some new additions to the list: For example, “princess” sits at No. 21, “solo” at No. 23 and — wait for it — “starwars” rounds things out at No. 25.

Sure, they’re easy to remember and have fun little movie references, but these passwords aren’t really what security pros had in mind for a strong passphrase. If cybercriminals can nab login credentials in five guesses or less based on prevailing pop culture, something’s gone wrong in the password selection process.

As noted by SecurityWeek, users are trying to add some randomness and throw off attackers. Passwords like “1qaz2wsx” and “qwertyuiop” look good at first glance, but it doens’t take long to see the problem: The former is the first two columns of main keys on any standard U.S. keyboard while the latter is just the top row. SplashData put it simply: These are “simple patterns that would be easily guessable by hackers.”

Pushing Back on Password Hacks

In the last year big retailers and popular social sites have been hacked, with attackers often going after poorly hashed databases of account names and passwords. But a consistent pattern of poor password-picking means that in most cases, cybercriminals don’t need to bother — running the list of popular passwords is faster, easier and often more successful. With companies aware of this fact, sites trying to beef up security and users at risk of losing personal and financial data, why are terrible passwords still the norm rather than the exception?

Simply put: password fatigue. As noted by TechCrunch, the average user must remember more than 25 passwords to access the social media, e-commerce and company apps they use on a daily basis. Crafting a clever password for each is not only time-consuming, but invariably leads to confusion.

So when corporate IT implements a new password policy, users look for the easiest way out. Maybe it’s a string of repeating characters, a common sequence or popular phrase; whatever it takes to simplify access and effectively spite admins for making passwords even more complicated. It’s a big picture/little picture scenario: The prospect of what might happen because of password hacks isn’t enough to ease the frustration of what will happen every time users can’t remember the last password on their list.

Alternate Options

It’s not all bad news. Sure, the list of poor passwords is frightening, but it’s also a sign: Passwords are passé, and companies are now actively looking for alternatives. For example, Google is testing a service that lets users approve logins through their mobile devices and eliminates the need for passwords entirely, while companies like PayPal are backing biometric identification.

The TechCrunch piece, meanwhile, imagined a future where devices are the center of an intelligent authentication scheme: Depending on user location, access method and the type of service being requested, authentication requirements scale up or down to ensure maximum security.

Password hacks are still happening, and they’ll keep happening because users will always find ways around complex login rules to make their digital lives less complicated. 2015’s poor password list is a wake-up call: It’s time to embrace a device-driven future and make passwords past tense.

More from

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…