By Joshua Belk, Black Kite Security Team

Every year these lists are published and for good reason. Many people don’t take the time to update the default settings or simply reuse the same password for everything. These are the Top 25 Worst Passwords from 2018 based on over 5 million leaked passwords.[1] Avoid them and protect your data by not using them. If your password is on the list, it’s time to change your password.

Worst Passwords of 2018

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. Sunshine
  9. Qwerty
  10. Iloveyou
  11. Princess
  12. Admin
  13. Welcome
  14. 666666
  15. abc123
  16. football
  17. 123123
  18. Monkey
  19. 654321
  20. [email protected]#$%^&*
  21. Charlie
  22. aa123456
  23. Donald
  24. password1
  25. qwerty123

Passwords remain a security issues because they are part of the identity and authentication process used to protect information.  User behaviors and human nature lend themselves to poorly crafted passwords.  Let’s face it, entering a 20 character password every time your computer locks isn’t the definition of convenience.  Criminals and hacking tools understand user tendencies and exploit them.  A well-known hacking tool, John the Ripper, allows hackers to employ searches of every word in the dictionary, including foreign language dictionaries plus commonly used examples like those from the list above. 

It’s Time To Change Your Password – Worst Passwords of 2018

While your office may have rules about how often or how complex your password needs to be (and great job to those security teams), still many of us don’t employ these same rules at home or on our personal devices. Pause for a moment and consider how many applications or websites you’re logged into at any moment. A breach in any one of these could the downfall of many other accounts. The majority of hackers and criminals are looking to make a profit from your information but the damage to your data, finances, and daily routine can be devastating. What really makes a good password anyways? The complexity of a password by itself isn’t exactly enough, the best passwords would be difficult to guess also. Too many times, I’ve seen passwords which consist of some home address, child or spouse’s birth date, your favorite color (87% of people choose blue, by the way), your favorite pet’s name, etc. These bits of information are easy to find, connect and exploit through social media or other platforms where most people display prominent information about their daily lives.

In the most technical sense, passwords are one part of greater set of access control measures. Most sites require credentials which you know as a user name & password and sometimes you get that validation email or text code which authenticates that you are who you say you are. The password remains the weak link in the chain, email addresses are typically static and easy to guess but they aren’t always used as a user name/ID; randomly generated codes are just that random, and lends them to be difficult to exploit. Two factor authentication is a standard way to help mitigate password compromise but it isn’t always practical and the adoption of two factor authentication in our personal lives is still very low.  

Ultimately though, good password practices can be difficult to effectively implement at the end user level. Complex passwords with expirations tempt people to write those passwords down somewhere. Consider the use of a good password manager. One of the biggest threats from a password perspective is credential stuffing, where a bad actor obtains leaked credentials from a compromised site, then uses those credentials to attempt logins at other sites. If every account you have uses a different password, then only the original leaked credential is a risk.

On important accounts you should also turn on MFA (multi-factor authentication). This is another good deterrent to the credential stuffing problem.  Microsoft has recently proposed that password expiration be dropped as a requirement. Consider that if you use unique passwords for every site, passwords that are sufficiently long and complex along with a password management tool and MFA on important accounts then there really would be no need to have those passwords expire.

Generally, good password management requires frequent changes of passwords and enforcement of quality passwords which are at least eight characters or more.  Passwords with less than eight characters are often defeated by hacking tools in less than five minutes.  Educating employees and users is a constant struggle but is still worth the effort.  Experts recommend the following practices to both avoid and to employ:

Good Password Practices   

  • Use pass-phrases or complex passwords with more than 8 characters (complex passwords include)
    • Randomize the use of capital and lowercase characters
    • Use special symbols such as #, &, %, $
    • Include a number in your password
  • Change passwords every 6 months and anytime you suspect a potential compromise
  • Educate employees & family members
  • Change the default password for devices and accounts
  • Consider the use of password managers

Bad Password Practices

  • Don’t use password or any other form of passw0rd as your password or any of the worst passwords listed above
  • Don’t use common information that can be easily guessed (such as first/middle/last names or birthdays)
  • Don’t use the same password for multiple accounts (admin and user accounts need different passwords; HR and Financial records systems need different passwords, too)
  • Don’t write down passwords and leave them in an easy to find places (like under your keyboard)
  • Don’t share passwords with untrusted sites, sources or personnel

[1] SplashData (2018)