The Worst Passwords of 2016

Print Email

Ever since the dawn of the personal computer age, users have had to create, remember and type in a password to do at least something with the machine in front of them. Because most of us already have plenty of other things to think about and remember, those passwords were often almost ludicrously simple, like “password” or “1234” or … you get the idea.

Some 30 years later, a lot of us do the same thing, even though we should know better by now. More than 37 million records were exposed in data breaches last year in the United States. That number represents records stolen from the business and government sector, and by an estimate from security application provider SplashData, includes more than 5 million individual password records.

There were plenty of examples of poor password choice to pick from last year, but the break-in at the Democratic National Committee was probably the poster child. An easily breakable password used by Hillary Clinton’s campaign manager John Podesta led to a hacking attack against the group’s systems that resulted in the loss of thousands of passwords and hundreds of thousands of emails.

The loss of billions of online credentials (usernames and passwords) in 2016 has led to an increase in a hacking attack known as credential stuffing, where credentials stolen from one website are gathered into a massive file that then enters the credentials one at a time into a different website’s login screen. Hackers’ success rates are barely 2%, but it doesn’t have to be very high — from a million stolen credentials, 20,000 accounts could be compromised.

What to do? Last October we looked at how to guard against identity theft. Near the top of the list is a recommendation to create strong passwords. Similarly, if you purchase a new device that is network connectable (the so-called Internet of Things), it is critical to change the default password that comes pre-installed.

And if you want those passwords to be hard for thieves to figure out, don’t use one of these, the 10 worst passwords of 2016:

  1. 123456
  2. password
  3. 123435
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234

Security website Darkreading has more details and an additional 15 passwords you should avoid.