A recent study of commonly used passwords by Dashlane/Virginia Tech has revealed some of the worst passwords of 2018.

For the study, Virginia Tech researchers provided Dashlane with an anonymized copy of 61.5 million passwords. The password list was created from 107 individual lists of passwords available on forums and in data archives, many of which have come from past data breaches.

The analysis of the list revealed many common themes. These include the names of favorite sports teams: In the UK, common password choices were liverpool, chelsea and arsenal – the leading soccer teams in the premier league.

Popular brand names were also chosen, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those sites.

Bands and movie references were often used, with Spiderman, superman, starwars, and pokemon all common choices as were expressions of frustration – a**hole, bull****, and f***you were often chosen.

The Dashlane report shows that despite warnings about the risk of using easy-to-remember passwords, end users are still choosing weak passwords. One particularly worrying trend is the use of seemingly secure passwords, which are anything but secure.

1q2w3e4r5t6y and 1qaz2wsx3edc may appear to be relatively secure passwords; however, how they are created makes them easy to guess. They are certainly better than “password” or letmein” but not by much.

The passwords are created by a process that Dashlane calls password walking – the use of letters, numbers, and symbols next to each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same technique is used with the incorporation of capital letters and symbols.

The study shows that even though many companies require end users to set strong passwords, employees ignore password advice or choose passwords that pass security checks but are really not that secure.

What Makes a Good Password?

A good password will not be in the dictionary, will not use sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be a minimum of 8 characters and should be unique – never used before by the user, and never reused on a different platform.

Passwords should include at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 letters. Add in capitals and the possible options double to 52. There are 10 digits, increasing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to guess. However, randomly generated passwords are also particularly difficult to remember.

Recently, that problem has been recognized by the National Institute of Standards and Technology (NIST), which has revised its advice on passwords (See special publication 800-63B).

While the use of random strings of characters and symbols makes passwords particularly difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have trouble remembering their passwords and that leads to particularly risky behaviors such as writing the password down or storing it in a browser.

NIST now suggests the use of longer passphrases rather than passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for example. Passphrases are more user-friendly and easier to remember, but are still secure – provided a sufficient number of characters are used. If passphrases are encouraged rather than difficult to remember passwords, end users will be less likely to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.

The minimum number of characters can be set by each organization, but rather than restricting the characters at 16, companies should consider expanding this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.

Since some end users will attempt to set weak passwords, it is important to incorporate controls that prevent commonly used passwords from being chosen. Each password choice should be checked against a blacklist before it can be set.