By Daniel J. Solove
The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015. The list is compiled annually by examining passwords leaked during a particular year. Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.
So what can we learn from all this?
1. Some people really lack much imagination. For passwords, people often draw from life experiences, loved ones, and hobbies and interests. If the only thing some people can think of for their password is “password,” then they not only need to get some better security wisdom, but they also need to get a better life!
2. Some people have at least learned the lesson that a longer password is better. So the most-widely used password was 123456. It could have been worse. Password #5 is 12345. To the folks who used 1234 (Password #8), shame on you! Some folks can count higher. Password #9 goes to 7 digits: 1234567. Password #12 has 10 digits: 1234567890 — seems like some people at least were listening to the advice that passwords should be long. But where are the people with 11-digit passwords? Aren’t there people out there who think that the best password goes to 11?
3. There are definitely some sports fans here as well as some folks into fantasy. Maybe I’m stereotyping, but this list seems to skew male.
4. With the new Star Wars movie, a new entry to the list was starwars. Sadly, the Force wasn’t with these people, and the use of this password correlates quite well to susceptibility to the Jedi mind trick.
5. Several passwords involved login/access words — login, password, passw0rd, welcome, letmein. Sadly, the password notbythehaironmychinnychinchin didn’t make the list.
6. Other passwords show keyboard proximity — querty, quertyuiop, and all the numeric passwords. 1qaz2wsx seems like a clever password, but it’s just the cluster of keys on the left side of the keyboard.
7. It is easy to mock these passwords. But it is hard for people to remember many long and complex passwords, especially if people are forced to change their passwords routinely. People have too many online accounts these days to be able to remember all passwords. We demand the impossible of people with passwords, and then we blame them when they fail. Last year, I wrote about this problem in a blog post and at Wired.
8. All of the password advice put together takes the impossible and multiplies it by the impossible. People are told to choose long and complex passwords, use special characters, include upper and lower case letters, and have numerals, as well as to use different passwords for each account, to not write them down, and to change them frequently. Can anyone possibly do this for hundreds of different accounts? It is doable for one account, such as one’s work account, but not possible for all accounts.
9. Probably everyone has a bad password or two. Or three. Even the experts! Not me, of course . . . Definitely not me . . .
10. Despite all the technology, much data security boils down to people. Force them to select good passwords, and people will write them on sticky notes on their desks. Or get people do do everything right, and then a phisher comes along and tricks them to give up their passwords. So much of data security is just getting people to behave. But we can and should make things easier by improving the authentication process and not demanding that people do the impossible.
I find at least some of the password advice to be counterproductive. People shouldn’t be forced to constantly change their passwords; they should write them down — just keep them in a secure place and not in their wallets or on their desks. And the advice about using a different password for each account is not feasible — having hundreds of different passwords is impossible to remember. Passwords shouldn’t be reused for work accounts and really important accounts, but not reusing a password for all accounts is impractical.
So what, exactly, can we learn from bad passwords? Bad passwords are a symptom of a much larger problem — but at least a symptom that will give us a laugh.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.