Another year, another password list

Once again, Splashdata has published its list of 100 most used passwords

Splashdata logo…. and it’s largely a case of ” plus ça change, plus c’est la même chose “. In the latest list, 2018, “123456”, “qwerty”, “password” and other perennial favourites featured once again at or near the top of the list.
What Splashdata do is analyse the passwords revealed in some of the data breaches of the previous year. So, the data is genuine, if somewhat culturally biased (“donald” makes a new appearance in 2018 – straight in at number 23, as Alan Freeman might have said).
You can find the full list of 100 most “popular” (ie “worst”) passwords here .The “top 30” (pop pickers!) is listed below:
#001 – 123456
#002 – password
#003 – 123456789
#004 – 12345678
#005 – 12345
#006 – 111111
#007 – 1234567
#008 – sunshine
#009 – qwerty
#010 – iloveyou
#011 – princess
#012 – admin
#013 – welcome
#014 – 666666
#015 – abc123
#016 – football
#017 – 123123
#018 – monkey
#019 – 654321
#020 – !@#$%^&*
#021 – charlie
#022 – aa123456
#023 – donald
#024 – password1
#025 – qwerty123
#026 – zxcvbnm
#027 – 121212
#028 – bailey
#029 – freedom
#030 – shadow

PadlockI know that I’ve taken password security as the subject for this blog several times over the years and I make no apology for it. Lots of the problems that clients ask me to help with are in this area – whether it be email accounts that have been hacked because the password was so obvious, or passwords that have been “lost” because the user can not remember which of several gerzillion variations of “fred123”, “Fred99”, “1Fred” they have used in any particular instance.

Perhaps password managers are the best way of dealing with the problem. Most of them not only store passwords but can also generate them. If you use such a program, though, you have to know that your data is backed up and secure and I don’t blame you if you do not wish to entrust your passwords to a file in the cloud!

So, what’s a simple way to use sufficiently unguessable passwords, that you can still access? Well, this may sound odd but my recommendation is to write them down. Lots of people will tell you this is unsafe, that a burglar will nick them. I’ve never ever heard of a burglar stealing a notebook of passwords. And it can’t be beyond most people’s wit to find somewhere accessible but discreet to keep such a notebook. I recommend recording the following information for each password:

  • Name of account or website where it is used
  • Name of the user (quite often an email address but still write it down)
  • The password
  • The date this record was created

If you change the password and keep a record of the previous one (and Google might ask you for this if you are trying to recover a Google account), then for goodness sake make it clear when each password was introduced. Another thing I see quite often is a client squinting at a piece of paper trying to work out which of several scribbled passwords might be the latest.

I have a feeling that the last time I blogged about this subject I promised not to do so again for a while, but it’s a new year and there’s a new list of bad passwords (albeit made up of mostly the same old villains), so I think it’s worth making a really tentative suggestion that if you’re a bit short of new year’s resolutions and want to have a clean start in just one area, then using strong, unique, passwords, and managing them properly, wouldn’t be a bad improvement to make in 2019.

Happy New Year!