February 15, 2015
Worst Passwords of 2014 Revealed: SplashData
"123456" is the worst password imaginable but, amazingly it's still the most popular choice.
For all the high-tech security threats lurking in the shadows, weak passwords are the easiest to fix, yet apparently the most ignored. It's simple to come up with complicated yet easy-to-remember passwords, it's just that some people still aren't prepared to make the effort – putting themselves and their friends at peril.
Every year web security specialist SplashData trawls through several million leaked passwords in search of our favourites. The results are in for 2014 and, once again, the world's most common password is the ridiculously simple "123456". It's topped the list two years running, after knocking off the equally ludicrous "password", which took honours in 2012.
Reading down the list, it's clear that some people don't put much thought into their passwords. Favourites include "qwerty", "iloveyou" and the cunning "letmein". If people are told that "123456" is too short a password, they simply tag "78" on to the end.
These passwords might be easy to remember, but they're the passwords hackers will test first when trying to breaking into your online accounts. They're the equivalent of leaving your house key under the door mat and hoping that burglars will never think to look there.
If these sound like your passwords, it's time to do something about it. Don't beat yourself up about it too much though, as there's a long and glorious history of using foolish passwords to protect precious things. For years during the Cold War, the secret eight-digit passcode to unlock US nuclear missiles was a string of eight zeros – with high-ranking generals deciding to put convenience before security.
If your passwords are no better, you're sitting on a security time bomb, warns Andrew Clouston, founder of Australian personal profile manager app MOGOplus.
"If you're not using unique, strong passwords for each website you log into, you're just asking to be defrauded," Clouston says. "Strong passwords are at least 12 characters in length and contain a mix of letters, numbers and symbols, preferably in both upper and lower case. Don't ever use your name, date of birth, home address or any of those things that are easily attributable to you personally."
The humble password's days are numbered, Clouston says, looking at new technology on display at January's Consumer Electronics Show. Security innovations include the Fujitsu PulseWallet, which identifies the unique pattern of veins on your hand; and Bionym's Nymi wristband, which uses your heartbeat as a password.
An industry working group called the FIDO Alliance (Fast IDentity Online) is also working to develop new standards for authentication that do not rely on traditional passwords. Google, PayPal, Microsoft and MasterCard are among the industry heavyweights striving to combat the security fatigue that drives some people to choose foolish passwords.
In the short-term, password managers such as Australia's MOGOplus aim to make it easier for people to use better passwords than "123456". The MOGOplus app can generate strong passwords for you and store them in an encrypted digital vault to use on your smartphone or tablet. The app logs into your accounts for you, so you only need to remember one master password.
Of course you still need a strong master password to keep your secrets safe. The best passwords are easy for you to remember but difficult for a person to guess or a computer to crack by brute force.
One trick for creating a unique and complicated password is to base it on a phrase or lyric rather than a single word. For example, you might start with the first line of Waltzing Matilda and take the first letter from each word. Throw in some capitalisation, symbols and numbers and you've got yourself a strong password like "OaJs+CbAb+1788" – which looks like gibberish to anyone else but is easy to remember if you sing along under your breath.
Chances are you need more than one strong password in your life, but it's a mistake to reuse them in case one is discovered. To make it easy to remember, you might find your second super password Under the Shade of A coolibah Tree.
With a little thought, it's not hard to dream up a list of super strong passwords that are as easy to remember as "123456" but not ridiculously easy for everyone else to guess.
SplashData's 'Worst Passwords of 2014'
This article was featured on Stuff NZ on February 5 2015 and was written by Adam Turner.