Splashdata has again released its annual list of the most popular and therefore worst passwords found in over two million leaked passwords during 2015. If your password is on the list, then Splashdata said you are continuing to put yourself “at risk for hacking and identity theft by using weak, easily guessable passwords.”
To make it easier to see the same mistakes and crappy passwords considered to be the most popular year after year, below you will see every list of weak and worst passwords released by Splashdata.
Worst passwords of the last five years
Try a password manager for pity's sake
If your password is listed, then wake up. Try a password manager, or use a passphrase and add in two-factor authentication. For example, there’s LastPass but you could still fall for a “pixel-perfect” LostPass phishing scheme as pointed out by security researcher Sean Cassidy during a ShmooCon talk; Cassidy said LostPass can even get around two-factor authentication, so an attacker could tap into the “LastPass API to remotely download and decrypt all passwords, credit cards, and secure notes.”
Besides LastPass, other popular password managers include KeePass, Dashlane, 1Password, RoboForm, Sticky Password, LogMeOnce, Password Boss, Password Genie, Password Safe, Zoho Vault and many, many more with both free and premium versions. None are perfect solutions, but each is better than using the same sucky passwords that make the list of worst and weakest passwords year after year. But sometimes your new and hopefully stronger password may be rejected as it falls foul of a site’s password policy.
When you go to create a new password and a character is blocked, Troy Hunt, Microsoft MVP for developer security and the creator of Have I been pwned, said to those sites, “I’m going to assume one thing: your input sanitization and your query parameterization sucks. You’ve screwed it up to the point that you simply can’t trust the app not to be SQL injected if you don’t disallow those characters.” After pointing to an example of a site that allows only numbers and letters, he added, “I’m going to assume that you’re not hashing the password and are instead storing it in plain text. What other reasonable assumption is there – the web app clearly hasn’t left it in a stable state before sending it to the database!”
Have I been pwned?
It's not like the pathetic passwords compiled by Splashdata would provide any challenge to a hacker and certainly not to rainbow tables. Password resuse is another horrible habit people can't seem to beat. If you reuse the same password and a site is hacked, your email address and password is dumped, would you even know to go change those passwords? It's my opinion that everyone should sign up on Have I been pwned and therefore be notified if your email address shows up in a data dump somewhere. It might even be the first notification you receive of a data breach.
When a data breach is not widely reported, cyber thugs can make more money off the data. Hunt won’t cough up bitcoins for that data, even though he has been approached by creeps attempting to monetize hacked data, but it helps data breach victims when he adds information to Have I been pwned.
Regarding the database dump of about six million entries from Nexus Mods, which was reported in December, yesterday Hunt loaded “almost 6M records and HIBP sent out 8,603 emails to individual subscribers, 559 emails to domain subscribers and a massive 124,325 notifications to subscribers using the callback implementation. The value of this breach is now not what it once was and the victims have a greater awareness of their exposure. The only ones who genuinely lose out when I load a breach like this is those who are illegally selling it in an attempt to further disadvantage the victims.”
Google’s Project Abacus wants to kill passwords, use all your biometric identifiers
Last year at the Google I/O conference, the company announced a new plan to kill off the password with its new Project Abacus. At the time, former DARPA director Regina Dugan said Abacus “may prove to be ten-fold more secure than just a fingerprint sensor.” Instead of using a password or 2FA, it would use multi-factor authentication. Ars Technica explained, “Abacus calculates a continuous ‘trust score’ using tons of signals, your location, facial recognition, speech input, how you type, motion created by how you walk, and nearby Bluetooth devices.”
Kaspersky blogged that the most amazing news about Abacus is “that this technology doesn’t require any specific hardware. Everything project Abacus needs to operate already exists in every modern smartphone. It’s just about adding the software. On the other side, this approach requires the gathering of a lot of information about user behavior, which is quite uncomfortable, taking into account how much of our data Google already has.”
If you are sick and your voice no longer has the same speech input, or if you hurt your hand or a finger and the way you type changes, or if you sprain your ankle or have an injury to your foot or leg and it changes your gait, then what? Would you be locked out?
Abacus is far from the only biometric authentication system meant to kill off the password; every year at CES there are a plethora of security tech products to scan fingerprints, palm prints and irises, utilize facial recognition, eye tracking, voice recognition and even monitor behavior. By utilizing a device you already have – your smartphone – Abacus might really have a shot at killing the password.
Engadget called Abacus “creepy” and I agree as it requires “constant, invasive surveillance and access to some pretty intimate records.” While it certainly would do away with the pathetic passwords people can’t seem to get away from year after year, it’s unclear if people would actually be cool with Google hoovering up all their biometric data.