It is the end of 2018 and we have learned nothing from the massive Facebook and Marriott data leaks and numerous other hacks. California-based password-management company SplashData released its 2018 100 worst passwords based on 5 million leaked passwords on the internet.
Few people have switched things up. People continue to use the same hacked passwords time and time again. Topping the list of terrible passwords were “123456789” at No. 3, “password” at No. 2, and “123456” at No. 1. 2018 marked the fifth-straight year that “123456” and “password” kept their top two spots on the SlashData list.
1. 123456
2. password
3. 1
23456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou
There are only 2 new entries in the 10 worst passwords, the highly unsecure “111111” at number 6 and “sunshine” at number 8.
SplashData estimates 10% of people have used at least one of the 25 worst passwords on this year’s list, with roughly 3% of internet users rely on the worst password, “123456.”
Don’t congratulate yourself yet if your passwords didn’t make SlpashData’s top 10 most used and least secure passwords of 2018. Check out the rest of SplashData’s list of 100 worst passwords. If your password made the worst 100 worst passwords list this year, you should change it.
rb-
Password advice has changed about as quickly as people’s passwords – NOT MUCH but worth repeating …..
Use passphrases of twelve characters or more with mixed types of characters.- Use different passphrases for each account. if a hacker gets access to one of your passwords, they will not be able to use it to use other sites and you only have to change that password instead of 50 of them,
- Use a password manager to generate and store your passwords and automatically log into websites.
- Set up two-factor authentication, especially when it’s generated on a phone app like Google Authenticator or on a small hardware device like Yubikey, can add an extra layer of security.
Imperva points out that 5% of all successful attacks are using brute force to guess a user or an administrator password. Brute force attacks do this with repeated login attempts using every possible letter, number, and character combination to guess a password.
Because most individuals have many accounts and many passwords, people tend to repeatedly use a few simple passwords. This leaves them exposed to brute force attacks. Email accounts protected by weak passwords are particularly valuable to hackers. They may be connected to additional accounts, and can also be used to restore passwords.
Attackers use specialized hardware to perform efficiently guess user passwords. Cryptocurrency mining rigs with graphics processing units (GPUs) and application-specific integrated circuits (ASICs) can be very effective in quick repetitive tasks like password guessing.
Imperva recommends a number of steps that an administrator can take to protect users from brute force password cracking:
- Lockout policy—you can lock accounts after several failed login attempts and then unlock it as the administrator.
- Progressive delays—you can lockout accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.
- Captcha—tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.
- Requiring strong passwords—you can force users to define long and complex passwords.
- Two-factor authentication—you can use multiple factors to authenticate identity and grant access to accounts.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.