Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

These Were the Most Common Passwords Used in 2016

Although weak and commonly used passwords have long been one of the most used venues to compromise accounts, they remain at the top of the most popular passwords charts, a recent Keeper Security report reveals.

Although weak and commonly used passwords have long been one of the most used venues to compromise accounts, they remain at the top of the most popular passwords charts, a recent Keeper Security report reveals.

Last year’s mega-breaches once again brought to the spotlight the long-lasting issue of weak passwords, but users remained deaf to security community’s cry for better password hygiene. By the end of the year, “123456” remained the most used password, as 17% of all users out there have been “safeguarding” their accounts with it.

List of most common Passwords

A series of massive data breaches made public last year demonstrated how important the use of strong, complex passwords is. These hacks included Dropbox (68 million accounts impacted), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Last.fm (43 million), and VK (170 million) in early summer, followed by Yahoo! (500 million) in September (the company revealed in December that one billion accounts were impacted in another incident).

If 2016 taught us anything is that the recipe for disastrous account security consists of a weak password and the reuse of this password on multiple services. Attacks on Carbonite, GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter have already proven that cybercriminals are aware of this practice and are quick to exploit it.

While companies such as Amazon and Microsoft were quick to react to the disturbing news, the former by prompting password resets for users whose accounts were compromised in other hacks and the latter by banning commonly used passwords from its services, users are still at risk, as most services fail to take stance and continue to allow users secure their accounts with weak, easily guessable passwords.

According to Keeper Security, the ten most used passwords in 2016 were:

1. 123456

2. 123456789

Advertisement. Scroll to continue reading.

3. qwerty

4. 12345678

5. 111111

6. 1234567890

7. 1234567

8. password

9. 123123

10. 987654321

Keeper Security’s report (PDF), which was compiled after the analysis of 10 million passwords, also reveals that the top 25 most popular passwords are used to secure over 50% of accounts. Some of these passwords are popular because they are used to secure accounts created by bots, but all of them can be cracked within seconds with the use of dictionary-based cracking tools.

Some users, the report reveals, attempt to secure their accounts by employing what they believe would be unpredictable patterns, such as “1q2w3e4r” and “123qwe,” but the wide-spread use of these passwords make them easily predictable as well. What users should do to ensure increased account security is to employ complex passwords and a password manager, so they can have a different password for each of their accounts.

“I can tell you for a fact that without a password manager nearly everyone I know re-uses passwords. Otherwise you have dozens if not hundreds of passwords you need to try and remember. Obviously that won’t work,” Rafal Los, Managing Director, Solutions R&D within the Office of the CISO for Optiv, notes in a SecurityWeek column.

He also points out that service providers shouldn’t focus on policies that force users to use complex passwords and maybe reset them often, but rather on building a good authentication hygiene to drive healthy behaviors in users.

“So, the problem to solve: rather than trying to figure out how complex you can make password requirements before your users revolt is how to maintain good authentication hygiene while driving healthy behaviors from your users. We’re going to be living with passwords for a very, very long time whether you want to admit it or not. Let’s address the root cause of the problems we’re seeing and start being seen as leaders,” Los says.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...