One in 500 Passwords Is '123456'
"Password" and "123456" continue to battle it out for the worst password choice according to two annual studies. While this tells us very little about why users continue to use such weak passwords, there's some mixed news elsewhere.
Several companies chase headlines each year by publishing lists of the worst passwords, meaning the ones that appear most frequently. The data source is usually a collection of stolen website login databases published online. Sometimes these are stored in plain text while sometimes cyber criminals have successfully cracked decryption.
The results are usually fairly predictable, with variants of "password" and consecutive strings of letters or numbers at the top. In the latest such lists, Nordpass has "password" as number one in the UK while Cybernews has "123456" as number one worldwide. (Source: nordpass.com)
There will also usually be some cultural or topical variations of note. Nordpass notes the names of leading soccer teams are among the most popular while Cybernews noticed "king" (likely a referenced to the new King Charles III) was common. (Source: cybernews.com)
Obvious Passwords Are Obvious
All too often people respond to such surveys by drawing the conclusion that the general public is incredibly dim-witted because easily guessable passwords are the most commonly. As always, that's backwards logic: the reason they are easily guessable is because they are most common. The most used passwords will always be "obvious" choices by definition.
What's usually not revealed is how common the most used passwords are, which would at least be a sign of how well the population as a whole is doing at using unpredictable passwords. Thankfully Cybernews has put some numbers on it, revealing that "123456" appeared 111,417 times in a total of 56 million passwords.
That means it made up around 0.2% of all password choices. It doesn't tell us too much this year, but a comparison of the relevant figures next year could show whether the drive to get people to avoid the most common passwords is working.
Short Words Too Common
As for password security overall, the evidence is conflicted. Nordpass noted its sample of leaked passwords was smaller this year, suggesting websites are doing a better job of protecting their data.
However, Cybernews pointed out that amazingly nearly one-in-six passwords in its dataset were just four characters long. That reflects badly not only on users but also on websites for allowing such short passwords.
It also found that roughly half the passwords consisted of a single word that appears in dictionaries. Those are the most vulnerable to an attack as attackers can simply use a dictionary list to try potential passwords rather than try every possible combination of characters.
What's Your Opinion?
How strong do you think your passwords are? Do these findings surprise you? Should websites be stricter about their password requirements?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
passwords
I used to type in my own passwords years ago but not anymore I use a paid version software called roboform which will generate random letters upper and lower case numbers and special characters up to 512 which no website that you create an account or one that you use all the time one thing nice about this is that you only need to remember one password to login to roboform and the software saves all your passwords so you don't have to remember any of them the software is free to download and free I believe to use but the free version is limited it's nice that you don't have to remember all of them and if there's a website that you don't goto very often you can look it up in roboform
Passwords
To answer your questions, I think my passwords are very strong because I use a password manager that generates random passwords. See reviews of them here: https://www.pcmag.com/categories/password-managers
I'm not surprised by these findings and I do think websites should be stricter about password requirements. The cyber-criminals should be put out of business, although then Dennis might have less business. ;)