blog-logo.png

A BLOG ABOUT CYBER SECURITY

Wombat Security is a leader in security awareness and training. Our blog covers the latest cyber security news, insights, and best practices. We arm infosec professionals with the knowledge and tools they need to improve end-user behaviors and reduce organizational risk.

Worst Passwords of 2016: Same Story, Different Year

Posted by Gretel Egan on Mar 8, 2017 9:05:25 AM

Topics: Cyber Threats, Passwords, Risk Management, In the News, All Posts

Wombat_Blog_WorstPassword_March2017.jpgOutside of locks and keys (which become more antiquated by the minute), perhaps the most basic of all security safeguards is a password. Unfortunately, it seems that “basic” is as far as many people are going in constructing the passwords that are in place to keep very private — and very valuable — data safe.

We reviewed SplashData’s 2015 edition of its “Worst Passwords List” last year…and it seems not much has changed with its 2016 tallies.

‘123456’ and ‘password’ Top the List for the Sixth Year in a Row

Once again, end users have proven that passwords are low on their list of priorities, with “123456” and “password” sitting atop the ranks of the most commonly used passwords — as they have since SplashData first published the list in 2011.

While the 2015 list compiled data from 2 million passwords that were leaked during that year, the 2016 edition was built from a decidedly larger data sample. SplashData based its most recent rankings on more than 5 million passwords posted or advertised for sale on the internet (mainly from North American and Western European users).

Though there were a fair number of newcomers to the ranks (sports terms mainly vacated the list, for example), complexity is once again a missing link. Here’s a look at the top 25 of 2016 (and how they match up to the 2015 list):

 Rank

 Password

 Change from 2015

 1

 123456

 Unchanged

 2

 password

 Unchanged

 3

 12345

 Up 2

 4

 12345678

 Down 1

 5

 football

 Up 2

 6

 qwerty

 Down 2

 7

 1234567890

 Up 5

 8

 1234567

 Up 1

 9

 princess

 Up 12

 10

 1234

 Down 2

 11

 login

 Up 9

 12

 welcome

 Down 1

 13

 solo

 Up 10

 14

 abc123

 Down 1

 15

 admin

 New

 16

 121212

 New

 17

 flower

 New

 18

 passw0rd

 Up 6

 19

 dragon

 Down 3

 20

 sunshine

 New

 21

 master

 Down 4

 22

 hottie

 New

 23

 loveme

 New

 24

 zaq1zaq1

 New

 25

 password1

 New

With three simple variations of the word “password,” basic number combinations, and many dictionary words in the top 25, it’s not terribly surprising that people (including high-ranking officials) keep finding themselves the victims of unauthorized account access. According to SplashData, more than 10% of people use at least one of the top 25 passwords, and nearly 4% use 123456 as their password.

Oh, and should you be taking comfort in the new entrant, “zaq1zaq1”…well, don’t. Z, A, Q, and 1 are simply the keys in the leftmost column on a standard keyboard. So while this might seem like a unique combination on the surface, it’s a common enough pattern to be used by multiple users.

Three Keys to Fixing the Problem

Organizations need to stop assuming that end users understand the issues surrounding weak passwords and credential reuse. Here are a few tips for improving password security within your organization:

Raise Awareness

Though you may frequently read up on cybersecurity news and events, it’s unlikely your end users do the same. It’s important to communicate about password security issues on a regular basis. Make your employees aware that compromised passwords are being sold online to the highest bidders. Explain the potential ripple effects of password reuse. And let them know that hackers have access to software that can break number-only combinations and dictionary-word passcodes in relatively short order.

Also be mindful of your tone; making employees feel like naughty children will only compound your problem. After all, the average end user likely ranks passwords somewhere on the scale between nuisance and necessary evil. People aren’t using — and reusing — simple passwords to make your life more difficult. They are doing it to make their own lives easier.

color_bar.png

We can help you raise end-user awareness.

Check Out Our Free Resources

color_bar.png

Provide Education

It’s important to recognize that awareness and training are two separate things; just because you tell your users there is a problem doesn’t mean they will understand how to fix it.

To change behaviors, you need to teach your users how to create passwords that are both effective and memorable. In our Password Security interactive training module, we walk users through methods for building better passwords and allow them to practice creating their own. This type of hands-on learning gets them thinking about why certain techniques are better than others and how they can apply personal elements to password creation without being predictable.  

Think Beyond the Password

Security safeguards like two-factor authentication (2FA) and password managers are becoming more commonplace in business and personal settings. And while end users might be resistant to implementing these new methods, awareness and education can help them see that a little extra effort is worth the added security.

As with other security awareness and training activities, it’s to your benefit to be thoughtful about the way you introduce these safeguards to users. Explain the why and the how, using language that non-technical audiences can understand. If possible, provide reference tools that walk users through the steps they need to take to add 2FA or implement a password manager. (These references are helpful for infosec teams as well, as they can be used during initial rollouts and again in the future with new hires or following a mobile device or PC upgrade.)

It’s also to your benefit to think beyond the confines of your organization and provide advice end users can apply in their home lives. Make some suggestions about places they should add 2FA on personal accounts, and offer advice about password managers that have been well-reviewed, are easy to use, and the types of devices they can be used on (iOS vs. Android vs. desktop, for example).

Overall, the more comfortable your users become — and the more empowered they feel to make good decisions — the more secure their personal and corporate data and systems will become.

icon-book.png

Try Our Interactive Security Awareness Training Modules

Our 25+ interactive training modules in topics like Email Security, URL Training, Mobile App Security, and more are proven to change the behavior of end users and reduce risk.

Try Our Modules

   Educate Yourself: Protect Against Security Vulnerabilities