Words of Wisdom: The Worst Passwords of 2014

Password safety

American Author Clifford Stoll has argued that the best quote whilst teaching others the importance of proper password safety is:

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.”

This quote is perhaps the best way to teach your children proper password procedures, along with sharing with them the list of Internets most common passwords. Between Sony leaks, J.P. Morgan Chase cyberattack last June, Dairy Queen International attack last October, and the Snapsave attack last year, in which photos of 200,000 users were hacked, it seems like now more than ever, is the right time to deploy top-shelf Identity Management.

On January 20 2015 SplashData announced its annual list of the 25 most common passwords found on the Internet. SplashData took a look at the 3.3 million passwords that got leaked last year, cataloging the most commonly compromised and least secure passwords.

Most of the passwords on SplashData’s list come from North American and Western European users. Predictably “123456” and “password” both topped the list this year. To my surprise, phrases like “monkey,” “dragon,” and “letmein” also placed in the top 25 list. The main problem with these passwords are that hackers have programmes that can run these common passwords in seconds to multiple accounts. And to be successful they only need one hit.

To mitigate the chances of your account getting compromised, suggested reading is the SplashData’s full list. If your password is on here, you should probably consider changing it.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 1234567890
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1

Before we discuss what makes a good password, one good tip to start with is to request that your users create different usernames and passwords for each individual account, both personal and professional. That way if their gmail.com account is hacked, their online bank and other websites are not at greater risk from the email breach, nor are your company’s servers and databases.

So if these are not passwords to emulate, what should the policies of your organization’s Identity Management platform look like? For starters, prohibit the use of short phrases. Instead use passwords that are eight digits or longer. The use of different types of characters such as letters, numbers and symbols is also highly recommended.

With regards to policy, please remember to ensure that your policy requires users to change their passwords on a regular basis. I recommend anywhere between 30 and 180 days but for reference, Microsoft’s Windows Server defaults to a password reset for users every 42 days.

Also, it’s crucial to make sure that your identity management solutions offers native password history so that your users can’t reuse old passwords.

This Blog was brought to you by Hypersocket Software and its CEO, Lee David Painter. With over 20 years of industry experience as a pioneer in IT Security, Lee developed the world’s first OpenSource browser-based SSL VPN (SSL-Explorer). Today, Lee runs Hypersocket Software, a leader in Password Self-Service solutions.
LogonBox Password Self Service

Like that? Check these out: