Previous Page
PCLinuxOS Magazine
Article List
Next Page

If Your Password Is On This List, CHANGE IT NOW!

by Paul Arnote (parnote)

Some portions of this article are from the SplashData press release.

SplashData has released their list of the most common passwords found on the internet. This makes them the worst passwords to use, opening up your accounts and personal data to being easily hacked by nefarious individuals.

Once again, "123456" and "password" top the list of the worst passwords. They have maintained that ranking since SplashData started releasing their worst passwords list in 2011.

SplashData compiled their report from over 2,000,000 (yes, two million) leaked passwords during the year. With this being their fifth annual list, it's quite amazing at how much people put their data at risk with the use of poor, weak and ineffective passwords.

Here is the 2015 Worst Passwords List Top 25:

Rank   Password   Change from 2014  
1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New

For example, "1234567890", "1qaz2wsx" (first two columns of main keys on a standard keyboard), and "qwertyuiop" (top row of keys on a standard keyboard) all appear in the top 25 list for the first time, but they are each based on simple patterns that would be easily guessable by hackers.

As in past years' lists, simple numerical passwords remain common, with six of the top 10 passwords on the 2015 list comprised of numbers only.

Sports remain a popular password theme. While baseball may be America's pastime, "football" has overtaken it as a popular password. Both appear in the Top 10 of SplashData's list, with "football" climbing three spots to number seven and "baseball" dropping two spots to number 10.

When it comes to movies and pop culture, The Force may be able to protect the Jedi, but it won't secure users who choose popular Star Wars terms such as "starwars," "solo," and "princess" as their passwords. All three terms are new entries on this year's list.

Other passwords appearing on the 2015 list that did not appear on the 2014 list include "welcome", "login" and "passw0rd."

SplashData, provider of password management applications including SplashID for consumers and TeamsID for businesses (but not for Linux), releases its annual list in an effort to encourage the adoption of stronger passwords to improve Internet security. According to SplashData, the passwords evaluated for the 2015 list were mostly held by users in North America and Western Europe. The "Worst Passwords List" shows that many people continue to put themselves at risk for hacking and identity theft by using weak, easily guessable passwords.

"We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers," said Morgan Slain, CEO of SplashData. "As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites."

PCLinuxOS users can use KeePassX as a capable password manager. It is available in the PCLinuxOS repository, and can be installed on your computer via Synaptic.

We have covered password security before in the pages of The PCLinuxOS Magazine. If you want to review our previous articles, here is a list for your convenience.

September 2013: Password Security Revisited
April 2007: What's In A Password?
November 2013: KeePassX: Not In The Cloud
March 2010: Secure Passwords Made Easy
September 2009: Secure Passwords With openssl

To summarize best password practices, do the following:

  1. Don't use the same username and password on multiple websites.

  2. Make your passwords 12 characters or more in length. Longer, complex passwords are harder to hack and crack.

  3. Avoid the use of personally identifiable information, like birthdays, anniversaries, telephone numbers, names of wife/girlfriend, children and other family members.

  4. Avoid the use of popular hobbies, sports, sports teams, or movie characters/stars, or anything else related to pop culture.

  5. Use a mix of letters, numbers and punctuation marks. Vary the case of the letters you use. An "A" and an "a" are not the same on the vast majority of systems.

Also, it's ok to "seed" your unique passwords with a common "root" password. This way, you can easily make each site you visit have a very unique password. For example, seeding all of your passwords with a unique passphrase (e.g. iHearTd3BBi3), you can tailor each site by adding information unique to that site. So, your password for Yahoo! Mail might become iHearTd3BBi3y!MaiL. Or, it could be 16;iHearTd3BBi3yM. You decide how you want to construct your passwords, and don't divulge your methodology to ANYONE!

You owe it to yourself -- and to the security of your data and personal information -- to protect that which is dear and vital to you, which is YOU!

Previous Page              Top              Next Page