Technology

The most common passwords of 2016 are exactly what you'd expect

We've all heard the warnings about passwords — use a variety of character types, make it random, use a password manager — but many of us, it seems, still aren't listening.

Every year some security firm or another releases a list of the most common passwords used online, and every year the top spot goes to some variation of '123456'. This is not surprising. By definition, a list of most common passwords will always be a list of worst passwords, regardless of how many people are using strong, complex, unique combinations.

What's interesting about the 2016 list released by Keeper — which, keep in mind, is a maker of password management software — is that it gives us a look at just how much of our information is locked behind shoddy passwords.

Of the 10 million passwords the company collected, 17 per cent of them were '123456'. That means for every six passwords collected, around one of them was this insanely easy to guess string of numbers.

All up, Keeper says the 25 passwords on its list accounted for more than half the passwords collected. Here's the full list:

1. 123456

Advertisement

2. 123456789

3. qwerty

4. 12345678

5. 111111

6. 1234567890

7. 1234567

8. password

9. 123123

10. 987654321

11. qwertyuiop

​12. mynoob

​13. 123321

14. 666666

15. 18atcskd2w

16. 7777777

17. 1q2w3e4r

18. 654321

19. 555555

20. 3rjs1la7qe

21. google

22. 1q2w3e4r5t

23. 123qwe

24. zxcvbnm

25. 1q2w3e

There are a few things we can learn from the list (apart from the fact that, if you recognised your password in there, you're bad at the internet).

It's easy to see why 'qwerty' is a poor password, but it's interesting that so many people think they have a better chance with 'zxcvbnm' or '1q2w3e4r'. It suggests that the owners of these passwords think they're defending against a human who is unlikely to try tricky combinations like that, when actually they're defending against software which will run through all these combinations and thousands more — plus the entire dictionary including words like 'google' — in a matter of seconds.

Another observation, and one that could be used to question the validity of lists like this in the future, is that the passwords at #15 and #20 appear to be random 10-character phrases that have no place on this list. Keeper's theory to explain this is that these passwords were used by bots to sign up for email accounts thousands of times over. It makes sense, especially given the importance of automated accounts for spam campaigns, but how do we know what percentage of the passwords collected overall were actually made by humans?

Despite all this, and despite the limitation that the list could only have been compiled by looking at passwords that ended up floating around the web after data breaches, the annual reminder is as important as always. If you use any of these passwords — or any other sequential phrase, word or common string of letters and numbers — for anything, stop now.

There's no way to guard totally against an account breach — and keeping your information as safe as possible will involve other measures like enabling two-factor authentication and avoiding predictable security question answers — but using a password manager or having unique, complex passwords are easy ways to avoid being compromised by common brute force attacks.

On its blog, Keeper blames websites and IT managers for letting users get away with weak passwords, and email providers for not cracking down on automated sign-ups.

0 comments