The most commonly hacked passwords are truly terrible

25 Jan 2017

Image: m.jrn/Shutterstock

Once again, ‘123456’ and ‘password’ top the list of terrible passwords, according to a 2016 study of leaks. Variations on the two make up seven of the top 10.

SplashData has revealed a troubling adherence to terrible passwords, after studying millions of leaked ones, with two types dominating the top 10.

Much like last year, the top two are ‘123456’ and ‘password’, though old favourites like ‘football’, ‘qwerty’ and ‘welcome’ are still featuring prominently.

In 2015, given its re-emergence in popular culture, Star Wars saw a few entries onto the list, with ‘princess’ and ‘solo’ lasting through 2016.

Some of the more curious inclusions to this year’s list are ‘hottie’, ‘loveme’ and ‘flower’. Another is ‘zaq1zaq1’ from the left column on standard keyboards, again demonstrating the importance of avoiding simple patterns.

“Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies,” said Morgan Slain, CEO of SplashData.

“Our hope is that by researching and putting out this list each year, people will realise how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites.”

However, people don’t seem to learn. The top two in the list have been constant for years. Last summer, news emerged of the 2012 LinkedIn hack, with ‘123456’ and ‘password’ only separated by ‘LinkedIn’ as the most common passwords accessed.

Rather than just incorporating SplashData’s 5m pool of passwords, this was examined through 167m passwords. No matter how far out you extrapolate, the same ones emerge.

Last October, Amazon got in touch with account holders, advising users to update their passwords as rumours emerged of a potential hack.

Similarly in August, Dropbox revealed that it had been the subject of a hack, which eventually transpired to be larger than anyone previously imagined. Its opening gambit was a forced password reset of users.

But alas, people still create incredibly basic passwords.

The wonderful Have I Been Pwned? resource created by Troy Hunt is worth a gander if you suspect you might have been hacked.

SplashData’s 25 most common passwords, 2016 are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

Gordon Hunt was a journalist with Silicon Republic