State of the Password: Bad, People Working on It
Yes, we know most passwords are lame, and we've known it for years. A look at the worst passwords of 2017 confirms the depressing reality:
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
This particular gallery of sad passwords comes from SplashData's seventh annual list of the 100 worst passwords. The 2017 list was based on 5 million passwords leaked in 2017, not including those from the Yahoo e-mail breach or from adult sites.
A few items on the list changed very little from previous lists by SplashData, a provider of password management software and services. The numeric entries are pretty similar; "123456" held the top spot last year. Only "123456789" is a new number in the Top 10, possibly due to more password-creation filters requiring more than eight characters. The password "password" retained the No. 2 spot.
Some of the new passwords conform to ideas that were in the air in 2017 -- "monkey," "starwars," "freedom" and "trustno1," for example. It's a useful reminder that while we may think of a password as clever in relation to our Dunbar's number of about 150 friends and acquaintances, they're probably not unique when it comes to the hundreds of millions of English-speaking Internet users. And standalone dictionary words -- as in, words not part of a passphrase -- are a password no-no, anyway.
Other entries in the top 100 reflect the utter frustration users have with being required to enter yet another password on yet another site. The entry "password" itself is partly an illustration of that, along with "whatever" and "blahblah." A new entry, "letmein," could be another. A quartet of profane passwords -- "f***you," "a**hole," "biteme," "pu**y" (asterisks mine) -- express that frustration in a pure, crass form.
As a matter of fact, nearly every password in the top 100 could arguably fit into the category of users saying, enough! "I have to create a user name and password to order this pizza? Fine: password." "I have to create a username/password to download this resource that might or might not have any value? Fine: 123456."
One study released in 2016 found that the average user had 27 discrete online log-ins. Others have put the number of accounts people have associated with individual e-mail addresses as high as 130.
While the SplashData list and others like it pull from the lowest-common-denominator passwords -- the ones where users did the absolute least they could do -- there are other reasons we're bad at passwords. For example, sites that don't tell you their password rules until they reject your first attempt. Sites that won't allow a passphrase of words separated by spaces. Sites that won't let you paste in the super-secure passwords generated by a password manager. It also doesn't help that the guy who came up with the rules for creating passwords now admits from retirement that he believes his suggestions were somewhat misguided.
What the list really points to is the fact that passwords are broken. Microsoft highlighted the issue with a long article on Dec. 26 about all the ways it's working to fix log-on processes by eliminating passwords. Components of the effort include Windows Hello (the identity technology built into Windows 10 for use with biometric sensors), the Microsoft Authenticator App, and the company's participation in the FIDO (Fast IDentity Online) Alliance developing open standards for authentication.
We'll watch those efforts with great interest throughout 2018. We'll have little hope that bad password lists will be less newsworthy by January 2019 or even January 2020.
Posted by Scott Bekker on 01/02/2018 at 11:31 AM