Despite having been predicted many times, the demise of the password as the preferred authentication method is still far off, as it’s difficult to beat its ease of use.
Short, predictable, easy to guess passwords persist
According to Keeper Security’s analysis of 10 million passwords leaked in 2016, four of the top 10 passwords on the list are six characters or shorter, and at the top of the list are those perennial favorites: “123456” (chosen by 17 percent of users), “123456789”, and “qwerty”.
“111111” occupies the fifth place, and “password” the eighth. Some users do try to use unpredictable passwords, but unfortunately choose easily guessable patterns as a basis (e.g. “123qwe”).
Also, if my experience and those of my immediate circle can be representative, many users use weak, easy to remember and to guess passwords for unimportant accounts. Microsoft and Carleton University researchers also noted that practice a few years ago, when they set out to offer evidence-supported guidance on choosing good passwords.
The list also contains two curious entries: “18atcskd2w” and “3rjs1la7qe”. Graham Cluley posits those are used by bots when creating accounts for spamming and phishing.
“Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties,” Keeper Security researchers pointed out.
They offered some good pointers on choosing stronger passwords, but this and other similar lists show that user education has limits.
“While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves,” they noted. “IT administrators and website operators must do the job for them.”
My best advice for users is to start using a password manager, so you’ll need to remember just one password at a time- and make that one long and complex.