Most Common Passwords Used in 2016

thumb Password manager and security vault company Keeper Security recently looked into 2016’s most commonly used passwords, and their research shows a shocking trend in using weak passwords across various websites. Because a weak password can lead to the very data breaches that they are meant to help prevent, it’s important to read this article about their research, originally featured in Security Week, and share it with your staff.

Last year’s mega-breaches once again brought to the spotlight the long-lasting issue of weak passwords, but users remained deaf to the security community’s cry for better password hygiene. By the end of the year, “123456” remained the most used password, as 17% of all users out there have been “safeguarding” their accounts with it.

A series of massive data breaches made public last year demonstrated how important it is to use strong, complex passwords. These hacks included Dropbox (68 million accounts impacted), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Last.fm (43 million), and VK (170 million) in early summer, followed by Yahoo! (500 million) in September (the company revealing in December that one billion accounts were impacted in another incident).

If 2016 taught us anything, it’s that the recipe for disastrous account security consists of a weak password and the reuse of the password on multiple services. Attacks on Carbonite, GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer, and Twitter have already proven that cybercriminals are aware of this practice and are quick to exploit it.
Companies such as Amazon and Microsoft were quick to react to the disturbing news, the former by prompting for password resets for users whose accounts were compromised in other hacks and the latter banning commonly used passwords from its services. Users are still at risk, as most services fail to take a stance and instead continue to allow users to poorly secure their accounts with weak, easily guessable passwords.

According to Keeper Security, the ten most used passwords in 2016 were:
  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. Password
  9. 123123
  10. 987654321
Keeper Security’s report, which was compiled after the analysis of 10 million passwords, also reveals that the top 25 most popular passwords are used to secure over 50% of accounts. Some of these passwords are popular because they are used to secure accounts created by bots, but all of them can be cracked within seconds with the use of dictionary-based cracking tools.

Some users, the report reveals, attempt to secure their accounts by employing what they believe would be unpredictable patterns, such as “1q2w3e4r” and “123qwe,” but the widespread use of these passwords make them easily predictable as well. What users should do to ensure increased account security is to employ complex passwords and a password manager, so they can have a different password for each of their accounts.

“I can tell you for a fact that without a password manager nearly everyone I know reuses passwords. Otherwise, you have dozens if not hundreds of passwords you need to try and remember. Obviously, that won’t work,” notes Rafal Los, Managing Director, Solutions R&D, within the Office of the CISO for Optiv.

He also points out that service providers shouldn’t focus on policies that force users to use complex passwords and maybe reset them often, but rather on building a good authentication hygiene to drive healthy behaviors in users.

“So, the problem to solve: rather than trying to figure out how complex you can make password requirements before your users revolt is how to maintain good authentication hygiene while driving healthy behaviors from your users. We’re going to be living with passwords for a very, very long time whether you want to admit it or not. Let’s address the root cause of the problems we’re seeing,” Los says.

Take note: If you’re a DOLLARS ON THE NET Account Administrator, we recommend double checking the Security Settings requirements you’ve configured for your staff to ensure you require strong passwords. We’ve provided options to match and exceed the requirements set by the PCI DSS as well as to require multifactor authentication (MFA). We recommend that you enforce MFA for all administrator-level users.

For more information, review the Account Administrator Guide in DOLLARS ON THE NET Help.