The only positive point to be drawn from 2013's list of the world's worst and easiest to hack passwords is that ‘password' is no longer in the number-one spot.
But even that tiny glimmer of hope is extinguished immediately because ‘password' is still alive and well and occupying the number-two spot, having been overtaken over the course of the past 12 months by ‘123456'.
The list, compiled by SplashData and drawn from passwords posted online following major web service hacks, such as the major breach at Adobe -- the company behind Photoshop -- highlights the risks consumers are still taking by choosing easy to remember rather than secure passwords.
Consumers may well be suffering from password fatigue -- the inability to continue to create and remember more and more unique log-ins as the number of web services they use proliferate -- but that is still no excuse for using ‘qwerty' (the fourth most common password) or ‘abc123' (number five) for protecting their most personal digital information.
Still, web users are not entirely to blame. Despite the ever growing sophistication of hackers, many companies are not doing enough to force their users into using stronger passwords that feature a mix of characters, numbers and symbols.
"Another interesting aspect of this year's list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies," said Morgan Slain, CEO of SplashData. If sites were enforcing stricter password rules then it wouldn't be possible to set guessable passwords like ‘1234' (number 16), ‘12345' (at 20) or ‘000000' (number 25) as log-ins.
Every time a site is hacked and the passwords exposed, those log-ins are added to existing password-cracking tools to make hacking the next site even easier. These tools search against lists of known log-ins and search for patterns that have already been discovered, such as choosing a dictionary word and substituting its vowels for numbers.
SplashData advises using passwords with eight or more characters that contain a mix of upper and lower case characters and numbers as well as letters and trying to make it as random or seemingly random as possible. One way of achieving this is by using a ‘pass phrase' and security firm Sophos has made an excellent video here explaining how to do it.
Other steps users can take include activating two-factor authentication if a site supports it and to ensure that if you must reuse a password never choose the one for your email account or online banking services.
The list of the 25 most common passwords in full
- 123123 Up 5