Bekker's Blog

Blog archive

State of the Password: Bad, People Working on It

Yes, we know most passwords are lame, and we've known it for years. A look at the worst passwords of 2017 confirms the depressing reality:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou

This particular gallery of sad passwords comes from SplashData's seventh annual list of the 100 worst passwords. The 2017 list was based on 5 million passwords leaked in 2017, not including those from the Yahoo e-mail breach or from adult sites.

A few items on the list changed very little from previous lists by SplashData, a provider of password management software and services. The numeric entries are pretty similar; "123456" held the top spot last year. Only "123456789" is a new number in the Top 10, possibly due to more password-creation filters requiring more than eight characters. The password "password" retained the No. 2 spot.

Some of the new passwords conform to ideas that were in the air in 2017 -- "monkey," "starwars," "freedom" and "trustno1," for example. It's a useful reminder that while we may think of a password as clever in relation to our Dunbar's number of about 150 friends and acquaintances, they're probably not unique when it comes to the hundreds of millions of English-speaking Internet users. And standalone dictionary words -- as in, words not part of a passphrase -- are a password no-no, anyway.

Other entries in the top 100 reflect the utter frustration users have with being required to enter yet another password on yet another site. The entry "password" itself is partly an illustration of that, along with "whatever" and "blahblah." A new entry, "letmein," could be another. A quartet of profane passwords -- "f***you," "a**hole," "biteme," "pu**y" (asterisks mine) -- express that frustration in a pure, crass form.

As a matter of fact, nearly every password in the top 100 could arguably fit into the category of users saying, enough! "I have to create a user name and password to order this pizza? Fine: password." "I have to create a username/password to download this resource that might or might not have any value? Fine: 123456."

One study released in 2016 found that the average user had 27 discrete online log-ins. Others have put the number of accounts people have associated with individual e-mail addresses as high as 130.

While the SplashData list and others like it pull from the lowest-common-denominator passwords -- the ones where users did the absolute least they could do -- there are other reasons we're bad at passwords. For example, sites that don't tell you their password rules until they reject your first attempt. Sites that won't allow a passphrase of words separated by spaces. Sites that won't let you paste in the super-secure passwords generated by a password manager. It also doesn't help that the guy who came up with the rules for creating passwords now admits from retirement that he believes his suggestions were somewhat misguided.

What the list really points to is the fact that passwords are broken. Microsoft highlighted the issue with a long article on Dec. 26 about all the ways it's working to fix log-on processes by eliminating passwords. Components of the effort include Windows Hello (the identity technology built into Windows 10 for use with biometric sensors), the Microsoft Authenticator App, and the company's participation in the FIDO (Fast IDentity Online) Alliance developing open standards for authentication.

We'll watch those efforts with great interest throughout 2018. We'll have little hope that bad password lists will be less newsworthy by January 2019 or even January 2020.

Posted by Scott Bekker on 01/02/2018 at 11:31 AM


  • What Does Office 365 Support for New Surface Hardware Actually Mean?

    Microsoft has spilled a lot of ink touting the ways that its new Surface-branded peripherals will be bring Office 365 features to life.

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.