Every year, the fine gents at SplashData both entertain and horrify us with a list of the 100 worst passwords out there, hoping to kick our collective bad habits. Despite increased awareness of the need for password hygiene, people still use the same weak login credentials. This year is no different, as the report reveals.
Weak passwords are an important attack vector for hacking techniques like brute-force attacks, where hackers use guesswork as they try out many passwords or passphrases with the hope of eventually getting it right. Attackers basically check all possible combinations until a match is eventually found.
Needless to say, brute-force attacks work best on weak passwords, such as “password” or “123456.” And, according to SplashData, these two continue to top the worst-passwords list in 2018 – for the fifth year in a row. The next five on the list are simply numerical strings, which you can probably guess.
Even U.S. President Donald Trump made the list:
“While terrible passwords such as ‘123456’ and ‘password’ continue in the #1 and #2 spots, respectively, President Trump debuted on this year’s list with ‘donald’ showing up as the 23rd most frequently used password.”
“Sorry, Mr. President, but this is not fake news – using your name or any common name as a password is a dangerous decision,” said Morgan Slain, CEO of SplashData. “Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to- remember combinations.”
The research suggests around 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% have used the worst password, 123456.
As a rule of thumb, never use a weak password, let alone use the same weak password across different services. A strong password should be at least eight characters long and contain upper- and lowercase letters, numbers, and special characters (*, #, %, etc.). Users should also employ two-factor-authentication (2FA) for every service that offers this option.