You should not be using these passwords

When it comes to the password selection process, you are usually only restrained by the limitations imposed to you by the service you are creating an account for.

Some may have very strict but insecure rules, like enforcing 4 digit passwords only, while others may only limit the lower character limit (six or more), upper character limit (no more than 12), and a third kind may require that you pick at least a special character and a number.

Most password selection rules are not designed to enforce the use of secure passwords, but to make the password selection process convenient for the user to avoid users leaving in frustration if their password selections are rejected for being too insecure, and to avoid servers being hammered with password reset requests.

Bad Passwords

SplashData released its annual "worst passwords list" yesterday highlighting the "most commonly used passwords".It compiles the list from leaked password during the year which means that the passwords could have been created earlier and not necessarily in 2015.

Without further ado, here it is.

• 123456
• password
• 12345678
• qwerty
• 12345
• 123456789
• football
• 1234
• 1234567
• baseball
• welcome (new)
• 1234567890 (new)
• abc123
• 111111
• 1qaz2wsx (new)
• dragon
• master
• monkey
• letmein
• login (new)
• princess (new)
• qwertyuiop (new)
• solo (new)
• passw0rd (new)
• starwars (new)

As you can see from the listing, most of the selected passwords are as basic as they can get as they are either basic words, numbers, or use a combination of characters that are easily detectable as a pattern on the keyboard.

The main issue here is not only that these passwords are insecure, but also that they are found in nearly any brute forcing dictionary out there.

In fact, most of these passwords have been in dictionary files twenty years ago.

The new entries to the list are as insecure as the old ones. All have in common that they are easy to type, but that is the only benefit as they leave the account wide open for attackers.

Better passwords

Probably the best advice that one can give to Internet users who select weak passwords is to start using a password manager that assists them in selecting secure unique passwords for every Internet service and application they use.

If that is out of the question, the following policies should be followed:

1. Use a lot of characters (12 at least, better a lot more).
2. Mix letters, numbers, upper- and lowercase, special characters.
3. Don't pick dictionary words (football) or pop culture (Star Wars), and don't substitute common characters with each other (e.g. o and 0, e and 3, l and 1).
4. Use unique passwords.

Now You: How secure are your passwords?