A password is defined as being a "secret word or string of characters" that is used to authenticate identity and enable access to a resource. The emphasise being on the word secret, although 'unique' is equally important when it comes to password security. Which is why the list of the most popular, and therefore worst, passwords used online this past year as revealed by password management specialists SplashData this week is particularly worrying. Well, it should be if your password is on the list anyway!
According to SplashData, the 25 worst passwords that you could be using include those insecure evergreens of 'password' at number one and '123456' at number two in the chart of shame, followed by the almost as easy to guess but one assumes treated as a more secure option by those who don't know better '12345678'. At number four in the list we find the bad password choice of 'qwerty' - yep, the first six letters on a keyboard, easy to remember and even easier for the bad guys to crack.
Mixing letters with numbers is always a good thing in terms of security, apart from when you use the likes of number five in the list which is, I kid you not, 'abc123'. At least number six is slightly less obvious, I mean who would guess your password is 'monkey' after all? Erm, well actually that bit of automated software which looks for dictionary words would, and it would do so in a matter of just a couple of seconds as it is a very short dictionary word at that.
Number eight is a seven character string which should by rights sit between the first and second entries as it is '1234567'. While the ninth most popular password was the first to adopt another recommended approach to password construction of using phrases rather than single dictionary words. Unfortunately, using 'letmein' comprises of just three very short dictionary words that pretty much every dictionary attack software will stumble across in less time than it took me to type this sentence.
Number ten may look, at first glance, like something approaching a secure password it remains a poor and insecure choice by virtue of being included in the custom words section of most password cracking tools. There's a certain irony in selecting 'trustno1' as your password I admit, but not a great deal of security. The same can be said of 'passw0rd' which sits at 19 in the list and just replaces an O with a zero. It's more secure than using the number one choice of 'password' but only just. Other stand out inclusions on the list included '111111' 'iloveyou' '654321' and the rather inappropriate under the circumstances 'master'.
Where did SplashData get the information to compile such a list, you may be asking yourself? Actually the company compiled it from files containing millions of stolen passwords that have been posted online in underground hacking forums following successful data breaches during the year.
Andi Hindle, Director of International Business Development at security outfit Ping Identity, warns that there is "no such thing as an uncrackable password" adding that is it "possible to make a password that is so difficult to electronically guess that it would take an untold time". Of course, even if that untold time equates to millions of hours, those hours could be spread across thousands of machines using cracking software and that, once again, introduces the element of risk if the bad guys thought your data worth the effort and financial investment involved in breaking it.
Meanwhile, SplashData offers the following suggestions when it comes to improving your password security:Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, "eat cake at 8!" or "car_park_city?" Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services. Use different passwords for each new website or service you sign up for. Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. Here's the full SplashData list of the 25 worst passwords of 2011: password 123456 12345678 qwerty abc123 monkey 1234567 letmein trustno1 dragon baseball 111111 iloveyou master sunshine ashley bailey passw0rd shadow 123123 654321 superman qazwsx michael football
