Another year, another list of the most popular passwords topped by the stalwarts 123456 and password. The rest of the top 10 isn't much better. But new data from password management company SplashData offers glimpses of a world in which we’re not all quite so hopeless at securing our stuff online.
First, the bad news: The most popular passwords are still mostly bad (and in fact, they're all definitionally bad simply by being so commonly used). The rest of the top ten passwords includes five more variations on counting upward from one, the alphabetical equivalent of that (qwerty), and two sports—football and baseball, which are both very popular and fewer characters to type than basketball, because who can be bothered, really.
This motley assortment isn’t all that different from last year’s, with some exceptions. The first is that Star Wars references like solo and, well, star wars made the cut this time around, proving that there are no limits to the reach of the Disney marketing machine. Second, and more intriguingly, is that people appear to actually be trying ever so slightly harder this time around.
Consider a few of the entries that have cracked the top 25. 1234567890 lands in 12th, while 1qaz2wsx and qwertyuiop debut at 15th and 22nd, respectively. Make no mistake, these are still bad passwords. Adding a few more characters onto a dumb pattern doesn’t make the pattern any less dumb.
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns, they will put you in just as much risk of having your identity stolen by hackers,” says SplashData CEO Morgan Slain. That people are even making that effort, though, could show that they at least are starting to understand that passwords actually matter.
A better indication that password management has improved can be seen in the number of new entrants to the field. “I have been studying passwords for years, and even if you go back to some of the earliest lists from the ‘80s, you see very little change in the most common passwords,” says Mark Burnett, security researcher and author of Perfect Passwords. Burnett notes that nine of the top 25 most common passwords on this year’s list are new for 2016. That’s a lot of turnover, likely because there fewer people resorting to the same password clichés.
“Although 123456 and password will always be at the top, the percentage of people actually using those passwords is getting smaller and smaller,” says Burnett. “As passwords get stronger, it may only take ten people out of a million using the same password ... to push it to the top ten.”
If you did happen to see one of your passwords (please tell us you use more than one), it doesn’t take much to make amends. Going longer is the right instinct, Burnett says, but it’s not enough. In fact, better to outsource your passwords altogether.
“We are at the point where no password under 15 characters is safe,” says Burnett, “and that means that remembering all of our passwords is no longer possible—we need password management software more than ever.” Even if you have a particularly good memory, you should never repeat the same password across different sites and services, meaning your memory alone likely isn’t up to the task of keeping track of your various skeleton keys. That’s where two-factor authentication can also help—at least, where you can find it.
So yes, we’re still a nation of password Philistines, and the worst of us remain as bad as ever. What’s important, though, is that we’re improving. As long as the same turns out to be true for the companies that maintain databases stuffed with our log-in information, we might make it through 2016 in one piece.
For next level security, just go ahead and get a Yubikey
If that feels like too much, a password manager would still up your game
Alright, fine. At the very least, follow these 7 steps for better passwords
