Another year has gone by...but "123456" still remains the most common password employed by users to protect their web accounts. On 13 January, password manager and digital vault developer Keeper Security broke the somber news in a blog post:
"Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with '123456.' [italic emphasis in the original]"
"123456" is bad enough, but the other most common combinations aren't much better. Here's the top 25 passwords Keeper found for 2016: Keeper Security's 2016 most popular password list
- 123456
- 123456789
- qwerty
- 12345678
- 111111
- 1234567890
- 1234567
- password
- 123123
- 987654321
- qwertyuiop
- mynoob
- 123321
- 666666
- 18atcskd2w
- 7777777
- 1q2w3e4r
- 654321
- 555555
- 3rjs1la7qe
- 1q2w3e4r5t
- 123qwe
- zxcvbnm
- 1q2w3e
Keeper compiled this list by analyzing 10 million passwords that became public as a result of data breaches in 2016.
As you can see, there's tons wrong with the entries included on this list. For instance, seven of the top 15 combinations reported by Keeper are six characters or less. It would take attackers mere seconds to break any of those weak passwords. Some users tried to protect their accounts by using patterns like "123qwe" and "1q2w3e," but dictionary-based password crackers can easily sniff out variations such as those. Keeper also found “18atcskd2w” and “3rjs1la7qe” to be among the most commonly used combinations. Those passwords appear to be random, so how could they be used so frequently? Security expert Graham Cluley has one theory: bots--not humans--are creating those passwords, possibly with the intention of posting spam on forums running vulnerable software. Regular readers will recall that this isn't the first year "123456" has made headlines as a password favorite. In January 2016, SplashData revealed its list of the most commonly used passwords. "123456" achieved the top ranking for at least the second straight year in the row. Other similarly easy-to-break combinations like "password" and "12345678" followed right behind. Following SplashData's report, organizations no doubt launched public awareness campaigns in an attempt to help their users choose stronger passwords. But these efforts apparently had little effect. Keeper agrees with that assessment:
"The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them."
Sysadmins and site owners can help by creating password policies that don't allow dictionary words or predictable patterns. Those rules could also mandate users incorporate upper- and lowercase letters, symbols, and numbers into their combinations. Every user's password should be submitted to a tool that upholds and enforces those regulations. If a candidate fails to meet them, users should be forced to change it to something that's more secure.
