Year after year, the list of most often used passwords changes but a little: the latest one, compiled by infosec researcher Troy Hunt and published by the UK National Cyber Security Centre (NCSC), puts “123456”, “123456789”, “qwerty”, “password” and “111111” on the top five spots.
The entire list of the top 100,000 most used passwords can be checked out here and predictably holds many common words, names, number combinations and even single letters and numbers.
Advice for users
The list compiled by Hunt is based on the breached usernames and passwords published on his Have I Been Pwned online service, and reveals that “123456” has been used a whooping 23.2 million times.
Other popular choices have also been made hundreds of thousands if not millions of times:
If you didn’t know by now, choosing your name or that of a loved one (whether it’s a person, fictional character or football team) is a bad idea.
The NCSC advises users to string together three random but memorable words to create hard-to-guess passwords. “Be creative and use words memorable to you, so people can’t guess your password,” NCSC Technical Director Dr Ian Levy advised.
Hunt pointed out that making good password choices is the single biggest control consumers have over their own personal security posture.
It’s true: we generally have little or no control regarding the security options given to us by businesses, but we can choose to make the best of them.
If we can choose a long and complex password, let’s do that. If we can opt for using multi-factor authentication, let’s do that. If we can’t remember all the different, complex passwords we use for our various accounts, let’s use a password manager. In addition to “memorizing” our passwords, password managers can create a long, complex password for each account, as they generally also provide a password generator.
Advice for developers and sysadmins
The NCSC has also provided developers and system administrators with advice on how to minimize the risk of poor passwords.
They could use the provided list as a blacklist, to prevent users from choosing a password contained in it, with the caveat that it’s not “the be all and end all of blacklists.”
“There will be other passwords that are more specific (such as employees in an organization using the company name in their password) or time limited (‘Spring2019’, etc.) that will rarely be in a global breach list, but attackers may still try to use,” they pointed out.
“Attackers commonly use lists like these when attempting to breach a perimeter, or when trying to move within a network to potentially less well defended systems. It’s especially common in networks where there’s a corporate component and an operational or Industrial Control System (ICS) component. In such deployments, attackers have been able to breach the corporate network and move laterally to the internal network due to poor network segmentation, where a single weak point (such as a password from one of these lists on a box in a DMZ) has enabled traversal.”
They acknowledge that letting users choose poor passwords may introduce some friction in the sign up process but it will help the organization’s data or critical infrastructure be better protected.