The 25 most common stolen passwords of 2015

Every year, the password manager software company SplashData compiles a list of the 25 most common stolen passwords from the previous 12 months’ publicly disclosed data breaches. 2015’s results have now been published, and they demonstrate one thing: people are still no good at choosing passwords. No good at all.

Here’s the list:

Worst 25 passwords of 2015

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

Weak – and reused – passwords are a common point of intrusion for cyber criminals. It’s not just these 25 that you need to worry about, either. Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that “according to a 2011 study of 6 million user-generated passwords, 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software and commodity personal computer hardware.”

So, how do you ensure your staff don’t put your organisation at risk with their poor password habits?

First, a password manager will enable you to create strong passwords for each of your online accounts, and change them with suitable regularity. Such passwords are unlikely to feature on lists of stolen passwords like the above, and are significantly less likely to be brute-forced than the likes of 123456 and password.

A strong passwords is all well and good, but, no matter how strong it is, a password is a single authentication factor. If it becomes widely known, it offers no barrier to access. This is why you need to combine passwords with other authentication factors such as a one-time password or secret question. (Think of your bank card and PIN combination as an example: you need both factors to access your account at an ATM.)

You can read all about two-factor authentication in Two-Factor Authentication by Mark Stanislav, which provides a comprehensive evaluation of popular secondary authentication methods, such as:

  • Hardware-based OTP generation
  • SMS-based OTP delivery
  • Phone call-based mechanisms
  • Geolocation-aware authentication
  • Push notification-based authentication
  • Biometric authentication factors
  • Smart card verification

You can also listen to a short podcast in which Mark talks about his book here >>


Share now

Share on Twitter Share on Facebook Share on LinkedIn

One Response

  1. Michael 21st January 2016