One in 500 Passwords Is '123456'

John Lister's picture

"Password" and "123456" continue to battle it out for the worst password choice according to two annual studies. While this tells us very little about why users continue to use such weak passwords, there's some mixed news elsewhere.

Several companies chase headlines each year by publishing lists of the worst passwords, meaning the ones that appear most frequently. The data source is usually a collection of stolen website login databases published online. Sometimes these are stored in plain text while sometimes cyber criminals have successfully cracked decryption.

The results are usually fairly predictable, with variants of "password" and consecutive strings of letters or numbers at the top. In the latest such lists, Nordpass has "password" as number one in the UK while Cybernews has "123456" as number one worldwide. (Source: nordpass.com)

There will also usually be some cultural or topical variations of note. Nordpass notes the names of leading soccer teams are among the most popular while Cybernews noticed "king" (likely a referenced to the new King Charles III) was common. (Source: cybernews.com)

Obvious Passwords Are Obvious

All too often people respond to such surveys by drawing the conclusion that the general public is incredibly dim-witted because easily guessable passwords are the most commonly. As always, that's backwards logic: the reason they are easily guessable is because they are most common. The most used passwords will always be "obvious" choices by definition.

What's usually not revealed is how common the most used passwords are, which would at least be a sign of how well the population as a whole is doing at using unpredictable passwords. Thankfully Cybernews has put some numbers on it, revealing that "123456" appeared 111,417 times in a total of 56 million passwords.

That means it made up around 0.2% of all password choices. It doesn't tell us too much this year, but a comparison of the relevant figures next year could show whether the drive to get people to avoid the most common passwords is working.

Short Words Too Common

As for password security overall, the evidence is conflicted. Nordpass noted its sample of leaked passwords was smaller this year, suggesting websites are doing a better job of protecting their data.

However, Cybernews pointed out that amazingly nearly one-in-six passwords in its dataset were just four characters long. That reflects badly not only on users but also on websites for allowing such short passwords.

It also found that roughly half the passwords consisted of a single word that appears in dictionaries. Those are the most vulnerable to an attack as attackers can simply use a dictionary list to try potential passwords rather than try every possible combination of characters.

What's Your Opinion?

How strong do you think your passwords are? Do these findings surprise you? Should websites be stricter about their password requirements?

Rate this article: 
Average: 4.4 (5 votes)

Comments

kevinb478's picture

I used to type in my own passwords years ago but not anymore I use a paid version software called roboform which will generate random letters upper and lower case numbers and special characters up to 512 which no website that you create an account or one that you use all the time one thing nice about this is that you only need to remember one password to login to roboform and the software saves all your passwords so you don't have to remember any of them the software is free to download and free I believe to use but the free version is limited it's nice that you don't have to remember all of them and if there's a website that you don't goto very often you can look it up in roboform

repete_14444's picture

To answer your questions, I think my passwords are very strong because I use a password manager that generates random passwords. See reviews of them here: https://www.pcmag.com/categories/password-managers

I'm not surprised by these findings and I do think websites should be stricter about password requirements. The cyber-criminals should be put out of business, although then Dennis might have less business. ;)