Worst Passwords 2015-2018: Can We Break the Cycle?

Although bad passwords are a gateway to account compromise, users continue to opt for easy-to-remember options rather than creating strong, unique credentials. SplashData’s annual “Worst Passwords List” illustrates the long-standing nature of the problem; though there were some newcomers to 2018’s top 25 rankings, “123456” and “password” continue their undisputed reign (as they have for eight consecutive years).

But the issue goes deeper than these two offenders, as can be seen in the following chart, which presents the top 25 worst passwords from the past four rankings. The 2018 passwords in bold have been in the top 25 at least twice since 2015 (though most of these are third- or even fourth-time offenders). One trend to note for this year is the resurgence in popularity of some passwords (such as “111111” and “sunshine”) that haven't been among the top ranks since 2015 or 2016.

SplashData analyzed more than five million leaked passwords for this year’s list, noting that most were from users in North America and Western Europe. (They also noted that exposed passwords from hacks of adult websites were not included in the analysis.) Like last year, 18 of this year’s top 25 are repeat offenders, and the variety seen in the new entrants show users' misguided attempts to add complexity. For example, the seemingly complicated "!@#$%^&*" is simply the “Shift” symbols over numbers 1 through 8 on a standard keyboard.  

In speaking about the list, Morgan Slain, SplashData CEO, cautioned, “Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations.” In fact, it’s estimated that 10% of people have used at least one of this year’s 25 worst passwords, and that nearly 3% have used “123456.”

How can you help break the bad password cycle?

As you consider your comfort level with 10% of your employees using one (or more) of these passwords to safeguard their accounts, you should also consider what you’re doing to help move the dial on password hygiene. Instead of chalking these behaviors up to laziness, think instead about how daunting a task it is to create, remember, and manage a stable of complex passwords—a stable that only continues to change and expand—while also being told that you can’t reuse passwords or write anything down.

End users will always be the key to proper application of password best practices, and security awareness training remains the best avenue for influencing behaviors and reducing risk. Here are some proactive ways to break the cycle:

• Explain the importance of good password hygiene to employees in terms they will understand, using example that will resonate. Don’t assume users know that compromised credentials are for sale on the black market, tell them that (and use examples). And illustrate the dangers of reusing the same password across multiple logins, particularly those that provide access to sensitive information or financial accounts.
• Provide interactive training about the techniques employees can use to create and remember more complex password constructions. The best options are those that encourage users to practice techniques and avoid pieces of personal data (like birthdays) that are regularly available on social media.  
• Offer guidance and recommendations about extra tools that can help them protect their data and yours. Explain how multi-factor authentication works, where they can employ it, and why it’s worth the extra few seconds to use it. And offer your recommendations about password management tools; your expertise and knowledge is valued by many in your organization (though you may not realize it).
• Don’t underestimate your employees’ desire to learn about these best practices. Not everyone will be receptive, but many will be—and they’ll be happy to share the information with family and friends. When users truly understand why you ask them to create strong passwords (and regularly change them), they will be less inclined to regard these actions as nuisance activities.