Every December, a list of terrible passwords is published by SplashData, and this year the list of the worst passwords of 2017 contains the same horrors as years gone by. Passwords that not only would take a hacker next to no time to guess, but in many cases, could be cracked at the first attempt.
The list of the worst passwords of 2017 is compiled from databases of leaked and stolen passwords that have been published online throughout 2017. This year, SplashData compiled its list from more than 5 million leaked passwords.
The minimum password length on many websites has now been increased to eight characters; however, it is still possible to use passwords of six characters in many places. This year, the worst password is six characters long and is the extremely unimaginative: 123456. A password so easy to guess, it is barely worth setting a password at all.
In second place is an eight-character password, which is similarly not worth using at all: password. In third place is 12345678. Those three passwords retained the same positions as last year.
Each year, the same passwords appear on the list, with slight fluctuations in their positions in the list. However, there are some new entries this year. The rebooting of the Star Wars saga has spurred many people to choose Star Wars related passwords, with starwars featuring in 16th position on the list.
An interesting entry makes it into 25th place – trustno1. Good advice, but even with the addition of a number, it is still a poor password choice. At first glance, number 24 in the list appears to be reasonable, but qazwsx is the first six characters on the left-hand side of the keyboard.
Using the passwords letmein, passw0rd, admin, master, and whatever, are all equally bad. All of those words make the top 25 in the list of the worst passwords of 2017.
Top 25 Worst Passwords of 2017
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
- admin
- welcome
- monkey
- login
- abc123
- starwars
- 123123
- dragon
- passw0rd
- master
- hello
- whatever
- qazwsx
- trustno1
The list of the worst passwords of 2017 reveals many people are extremely unimaginative when choosing a password to secure their email, social media, and online accounts.
SplashData estimates 3% of people have used the worst password on the list, while 10% have used one of the first 25 passwords to “secure” at least one online account.
Most people know that strings of consecutive numbers are bad, as is any variation of the word password, but changing to a dictionary word or a pop culture reference is just as bad, as Morgan Slain, CEO of SplashData, Inc., explained, “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
That means using football (or any other sport) or starwars will not prevent a hacker from gaining access to an account for very long.
What Makes a Bad Password?
Brute force attacks, those where repeated attempts are made to guess passwords, does not involve a hacker sitting at a computer typing bad passwords until the correct one is guessed. Those attacks are performed by bots, and it doesn’t take long for a bot to guess a poor password.
Without rate limiting – setting a maximum number of failed attempts before access is temporarily blocked – to slow down the process, the bots can cycle through the list of the worst passwords of 2017 quickly, followed by those used in other years and other dictionary words.
Hackers also know the tricks that people use to keep passwords easy to remember, while meeting the strong password requirements set by IT departments, such as adding an explanation mark to the end of an easy to remember word or replacing certain letters with their numerical equivalent: An A with a 4, or an O with a zero for instance.
What Makes a Good Password?
A good password should contain upper and lowercase letters, numbers, and special characters, and should preferably be a random string of 10 or more characters. That of course makes passwords very difficult to remember. Writing the password down so you don’t forget it is also a very bad idea, as is reusing passwords on multiple sites and recycling old passwords.
In 2017, NIST revised its advice on choosing passwords as its research showed that forcing people to choose upper and lower-case passwords and special characters did not always ensure people chose strong passwords. Instead, they get around the technology by simply changing the first letter to a capital letter and adding a special character and number to the end, for instance.
Instead, NIST recommended using a passphrase rather than a password. A phrase that only you would know.
A list of four or five unrelated words would work well. Dogforkliftmonkeyhousecar would be a strong password phrase to use (other than the fact it has now been published online). It would be difficult to crack but easy to remember with a mnemonic.
To keep your accounts secure, make sure you choose strong and complex passwords, ideally long passwords of at least 15 characters. However, remembering the 20 or so unique passwords you are likely to need will still be hard.
The solution is to use a password manager, and to secure that account with a strong hard to guess password. Then only one complex password must be remembered.