Tag Archive for SplashData

| December 21, 2019
Comments Off on Stop Using These Passwords Now

Stop Using These Passwords Now

Stop Using These Passwords NowThe annual list of the worst passwords is out. People are lazy and still use the same old compromised passwords. Not much has changed since 2018, 2017, or 2016. SplashData’s 9th annual list of worst passwords looked at 5 million passwords that were leaked in various data breaches in 2019 and found that 123456 is still the most frequently used password.

Some other interesting password factoids from the survey include:

  • SplashData logopassword has been knocked out of the top two spots for the first time in the list’s history.
  • Simple patterns using contiguous keys on the keyboard like 1q2w3e4r, qwertyuiop, and !@#$%^&* are new for 2019. They may seem complex but will not fool attackers.
  • QWERTY is a big mover in 2019. qwerty moved up 6 places to #3 in 2019 and qwerty123 moved up 13 spots to #13 in 2019.
  • After making his debut on the 2018 annual list “donald” fell to #34 on the most dangerous password to use.
RankPasswordChange
1123456(Rank unchanged from 2018)
2123456789(up 1)
3qwerty(Up 6)
4password(Down 2)
51234567(Up 2)
612345678(Down 2)
712345(Down 2)
8iloveyou(Up 2)
9111111(Down 3)
10123123(Up 7)
11abc123(Up 4)
12qwerty123(Up 13)
131q2w3e4r(New)
14admin(Down 2)
15qwertyuiop(New)
16654321(Up 3)
17555555(New)
18lovely(New)
197777777(New)
20welcome(Down 7)
21888888(New)
22princess(Down 11)
23dragon(New)
24password1(Unchanged)
25123qwe(New)

Morgan Slain, CEO of SplashData, told Gizmodo,

Our hope … is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off. We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.

rb-

So how can you keep your online personal information safe?

  1. how can you keep your online personal information safe?Make sure none of your passwords are on SplashData’s worst passwords of the year list. If they are log on and change them immediately. See the full 100 worst passwords on SplashData’s site.
  2. Use two-factor authentication, whenever possible. Even if a hacker has your password, they won’t have that random code and therefore won’t be able to get into your account. Not sure if your favorite website supports two-factor authentication, search the Two Factor Auth List to find out.
  3. Consider a password manager. Your brain is no longer an adequate password manager. SplashData makes several password managers SplashIDTeamsID, and Gpass depending on your needs.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| December 17, 2018
Comments Off on The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018It is the end of 2018 and we have learned nothing from the massive Facebook and Marriott data leaks and numerous other hacks. California-based password-management company SplashData released its 2018 100 worst passwords based on 5 million leaked passwords on the internet.

Few people have switched things up. People continue to use the same hacked passwords time and time again. Topping the list of terrible passwords were “123456789” at No. 3, “password” at No. 2, and “123456” at No. 1. 2018 marked the fifth-straight year that “123456” and “password” kept their top two spots on the SlashData list.

1. 123456
2. password
3. 1Password23456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou

There are only 2 new entries in the 10 worst passwords, the highly unsecure “111111” at number 6 and “sunshine” at number 8.

SplashData estimates 10% of people have used at least one of the 25 worst passwords on this year’s list, with roughly 3% of internet users rely on the worst password, “123456.”

Don’t congratulate yourself yet if your passwords didn’t make SlpashData’s top 10 most used and least secure passwords of 2018. Check out the rest of SplashData’s list of 100 worst passwords. If your password made the worst 100 worst passwords list this year, you should change it.

rb-

Password advice has changed about as quickly as people’s passwords – NOT MUCH but worth repeating …..

  • sisyphusUse passphrases of twelve characters or more with mixed types of characters.
  • Use different passphrases for each account. if a hacker gets access to one of your passwords, they will not be able to use it to use other sites and you only have to change that password instead of 50 of them,
  • Use a password manager to generate and store your passwords and automatically log into websites.
  • Set up two-factor authentication, especially when it’s generated on a phone app like Google Authenticator or on a small hardware device like Yubikey, can add an extra layer of security.

Imperva points out that 5% of all successful attacks are using brute force to guess a user or an administrator password. Brute force attacks do this with repeated login attempts using every possible letter, number, and character combination to guess a password.

Because most individuals have many accounts and many passwords, people tend to repeatedly use a few simple passwords. This leaves them exposed to brute force attacks. Email accounts protected by weak passwords are particularly valuable to hackers. They may be connected to additional accounts, and can also be used to restore passwords.

Attackers use specialized hardware to perform efficiently guess user passwords. Cryptocurrency mining rigs with graphics processing units (GPUs) and application-specific integrated circuits (ASICs) can be very effective in quick repetitive tasks like password guessing.

Imperva recommends a number of steps that an administrator can take to protect users from brute force password cracking:

  • Lockout policy—you can lock accounts after several failed login attempts and then unlock it as the administrator.
  • Progressive delays—you can lockout accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.
  • Captcha—tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.
  • Requiring strong passwords—you can force users to define long and complex passwords.
  • Two-factor authentication—you can use multiple factors to authenticate identity and grant access to accounts.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| February 6, 2018
Comments Off on Worst Passwords – 2017

Worst Passwords – 2017

Worst Passwords - 2017Today is “Safer Internet Day” which is needed. Despite the spate of well-publicized hacks, attacks, ransoms, and even extortion attempts, millions of people continue to use weak, easily guessable passwords to protect their online information. SplashData, provider of password management applications has released its annual Worst Passwords of the Year (NSFW) list. The seventh annual report was compiled from more than five million passwords leaked during 2017.

FSplashData logoor the fourth consecutive year, “123456” and “password” held on to the number 1 and #2 spots on the SplashData list. Variations of each, either with extra digits on the numerical string or replacing the “o” with a “0” in “password,” make up six of the top 10 most often used passwords. Morgan Slain, CEO of SplashData warns, “Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure.

Star Wars is popular

Star Wars fans were so excited by the recent premiere of “Star Wars: The Last Jedi“, that they moved “starwars” up to #16 on the most frequently used bad passwords list. SplashData’s Slain observed that it is not a good password.

Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use … Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.

Another problem with many of these bad passwords, they are simply a straight row of characters across the keyboard making them easy for attackers to guess. Pattern passwords in the bad list include:

  • Password12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • qwerty
  • qazwsx
  • 1qaz2wsx

SplashData’s 25 worst passwords of 2017:

1 – 123456
2 – password
3 – 12345678
4 – qwerty
5 – 12345
6 – 123456789
7 – letmein
8 – 1234567
9 – football
Sisyphus10 – iloveyou
11 – admin
12 – welcome
13 – monkey
14 – login
15 – abc123
16 – starwars
17 – 123123
18 – dragon
19 – passw0rd
20 – master
21 – hello
22 – freedom
23 – whatever
24 – qazwsx
25 – trustno1

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 123456.

SplashData offers these tips to be safer from hackers online:

1. Use passphrases of twelve characters or more with mixed types of characters including upper and lower cases.
2. Use a different password for each of your website logins. If a hacker gets your password they will try it to access other sites.
3. Protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.

rb-

Sighs – I covered this again and again ……

One older report I’ve seen says that attackers were able to crack open 254,776 of 499,556  (51%) hashed passwords within 24 hours and 439,610 (88%) within two weeks. The same report says that it can only take one day to crack an eight-character password, while it takes an average of 591 days to crack a 10 character password. 

Another report on password hacks points out the value of each additional character in a password.

  • A 6-character password with only letters has 308,915,776 possible combinations.
  • An 8-character password with only letters has 208,827,064,576 possible combinations.
  • An 8-character password with letters (upper & lower case) and includes numbers and symbols has 6,095,689,385,410,816 possible combinations.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 25, 2016
Comments Off on 2015’s Worst Passwords

2015’s Worst Passwords

2015's Worst PasswordsFollowers of Bach Seat know that passwords suck. For even more proof that passwords suck, the password-management company SplashData released its fifth annual list of the most popular passwords. SplashData studied more than 2 million passwords that were leaked in 2015 and identified the most commonly leaked passwords and those that were least secure from Western European and North American users according to Business Insider.

2015’s worst passwords

SplashData logoMost of the 2015 results are not surprising.

  • 123456 is the most common password. It has been #1 since 2013.
  • Password is the second most common password. It too has been #2 since 2013. Password was the most common password in 2012 and 2011.
  • 12345678 is the third most common password found in the Splash data results. In fact, 12345678 has been the most consistent performer, having been in the #3 place four of the past five years.

One surprise was that the Disney marketing machine was able to get Star Wars related terms into the top 25 worst passwords in 2015.

  1. princess
  2. solo
  3. starwars

Here’s SplashData’s full list. If your password is on here, think about changing it.

25 Worst passwords

20152014201320122011
1123456123456
123456
password
password
2passwordpasswordpassword123456
123456
3123456781234512345678
12345678
12345678
4qwerty12345678
qwerty
1234
qwerty
512345qwertyabc123qwertyabc123
612345678912345678912345678912345
monkey
7football1234
111111dragon
1234567
81234baseball
1234567pussy
letmein
91234567dragoniloveyou
baseball
trustno1
10baseballfootballadobe123
football
dragon
11welcome1234567123123
letmein
baseball
121234567890 monkey
admin
monkey
111111
13abc123letmein
1234567890
696969
iloveyou
14111111abc123
letmeinabc123
master
151qaz2wsx111111photoshopmustang
sunshine
16dragonmustang1234michaelashley
17masteraccessmonkey
shadow
bailey
18monkeyshadow
shadowmasterpassw0rd
19letmeinmastersunshinejennifer
shadow
20loginmichael
12345
111111
123123
21princesssupermanpassword1
2000
654321
22qwertyuiop696969princessjordansuperman
23solo123123azertysupermanqazwsx
24passw0rdbatmantrustno1harleymichael
25starwarstrustno10000001234567football

 

Protect yourself

keep your passwords secureTo keep your passwords secure, you definitely shouldn’t use any of the passwords on the list.

SplashData offers three simple tips to help people protect themselves:

  1. Use passwords or passphrases of twelve characters or more with mixed types of characters;
  2. Avoid using the same password over and over on different websites
  3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.

rb-

What to do if you are responsible for securing systems where your users use these passwords? Stop Them!

This is what makes passwords suck – Implement complexity rules:

  • Minimum of 8 characters
  • A mix of characters, UPPER CASE, lower case, numbers, and special characters.
  • Prevent reusing passwords
  • Blacklist all the above passwords so they can never be used again.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,