The top 25 passwords for 2015 have been revealed, proving that we still haven't learnt very much about securing our online accounts.
The yearly list is compiled by SplashData, and consists of all the millions of stolen passwords made public throughout the last twelve months. This year the results are based on over two million leaked passwords.
The slapdash passwords might come as a shock to many considering that it's more than 50 years since the invention of the computer password, and stories of hacks and data breaches pepper the news headlines on an almost weekly basis.
This year's list will have security professionals swearing under their breaths as such classics as '123456' and 'password' remain in the top spots for the second year running.
> See also: Are Millennials more careless with passwords?
The rest of the list isn't much better, with sports-related passwords still making the top ten. Others such as 'login' (20) and 'letmein' (19) might be more indictative of lazy staff or IT admins not changing their default network passwords, while the only real difference from previous years is the influence of the Disney marketing machine, with 'Star Wars' and 'solo' making the 25 and 23 spots respectively.
The top ten passwords were:
- 123456 (Unchanged)
- password (Unchanged)
- 12345678 (Up 1)
- qwerty (Up 1)
- 12345 (Down 2)
- 123456789 (Unchanged)
- football (Up 3)
- 1234 (Down 1)
- 1234567 (Up 2)
- baseball (Down 2)
It's an amusing read. But can we really afford to be this lazy? Javvad Malik, Security Advocate at AlienVault, explains that the reason why these common passwords are so dangerous is that it gives an attacker an easy way to get into accounts, much like having a master key that you know will work on 10% of houses in your street.
'So rather than having to run a brute force against accounts – trying millions of password combinations to try and get in – I can take a small set of 25 or 50 passwords and try them against all the accounts,' says Malik. 'I'll not only have a high success rate in getting in – but it's more than likely that the same passwords would have been used across different websites.'
'This then becomes particularly dangerous as an attacker could take control of your Facebook, Twitter, email, banking – effectively your entire digital identity with relative ease.'
Beyond illustrating the obvious: that people are still terrible at choosing and remembering passwords, Gavin Millard, technical director EMEa at Tenable Network Security, thinks it shows a change in attitude is urgently needed.
> See also: Why bad passwords aren't the problem – it's the people who make them
'Irrelevant of what usual suspects make up the top 25, the fact that a list is still compilable in 2016 is a reflection on the apathetic approach many users take to securing their information online,' says Millard. 'Individual passwords should either be created using a recipe per site, an automated tool like a password manager or by using a suggested password by the browser.'
To reduce the risk of data loss, Millard advises that organisations enforce password best practices (length, strength, complexity), educate users on the importance of credential management, and roll out two factor authentication where applicable to ensure employees can’t use poor passwords on corporate resources.
So let's hope this year was the final year for this list.