The 10 Most Embarrassingly Stupid Passwords of 2014

Bijoy Venugopal
Password security is a serious concern but most users don't seem to be aware of it

We know your password. Now, change it before that troll updating your Facebook timeline with things unmentionable dies laughing.

Despite the Internet being abuzz with cautionary notices on setting strong, hack-proof passwords, most users still choose the most embarrassingly simple phrases to ‘protect’ their email and social media accounts.

Exactly how simple? Consider these: 123456. qwerty. password.

Of embarrassing interestingness is the fact that 123456 is still at the top of the list. With 12345 jumping up 17 places to No 3. Sitting tight in second place is the unassumingly sinister ‘password’. Oh yeah, and ‘access’, ‘football’ and ‘dragon’ were the other cryptic words that users had dreamed up to keep their dark secrets safe from the prying world.

The word 'password' is pictured on a computer screen
The word 'password' is pictured on a computer screen

That’s a fact that SplashData, the tech security company that makes the SplashID password management application, published on its website as it does every year. How Internet users away with this is unfathomable, since banking websites, for instance, are known to insist on passwords that use a combination of letters of the alphabet in uppercase and lowercase, numerals and special characters besides multiple layers of verification.

Here are the Top 10:

1    123456    
2    password    
3    12345    
4    12345678    
5    qwerty    
6    123456789    
7    1234    
8    baseball    
9    dragon
10  football

Does any of that sound like you?

SplashData suggests the following measures to compose a crack-resistant password:

1. Use passwords of eight characters or more with mixed types of characters
2. Avoid using the same username/password combination for multiple websites.
3. Use a password manager to organise and protect passwords, generate random passwords and automatically log in to websites.

So what makes a strong password?

Cryptoanalysts use the phrase 'password cracking' to describe the process by which passwords can be recovered from data stored in or transmitted by a computer system. The most common approach is brute-force attack -- in which a computer tries every possible combination repeatedly to guess the password based on patterns. Obviously, our top 10 (or even SplashData's list of top 25) wouldn't stand a glimmer of a chance. It is understood that the strongest of passwords (a user-selected eight-character password of numerals, mixed case and symbols) takes about 16 minutes to crack.

For instance, the easier your password is to remember, the easier it is to guess. Attackers know the exact tricks that you use. Substituting letters for numbers is a common trick, and most attackers won't even need a computer program to resolve that. The same goes for typing a password with letters from one keyboard row higher.

Are passwords the final frontier?

Think of a phrase (not a common phrase) and substitute each first letter with a numeral for a password. Or mix them up. Devise a personal algorithm -- basically, a set of rules that only you can decode.

Email services such as Yahoo Mail and Gmail insist on higher levels of security. Gmail, for instance, allows you to verify your account with a random authentication code generated by an app running on your mobile device or phone. This is an additional level of security after you enter your password. If you are likely to use your email without access to your phone, you can print and save a list of random numeric codes to log you in. However, if you run a personal website or blog whose security you care about, it is recommended that you use an identity verification system that doesn't rely on alphanumeric passwords. WordPress plugins such as WordFence Security lock out users after three unsuccesful login attempts, or restrict access to users accessing your site from servers with particular domain names.

Captcha -- an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart -- is a challenge-response computing test where random images with cryptic but legible characters are shown to users, which they are required to key in correctly. Unsuccessful attempts lock them out, and though Captchas provide audio support to visually impaired users, it has been known to be an irritant to impatient users.

Clef, which describes itself as a "two-factor authentication system from the future", uses secure biometrics -- the user's fingerprint -- to log them in from their phones, followed by displaying a wave form or suchlike cryptic pattern that has to be synced with a similar pattern on the site's login panel via the user's phone camera.

Just to reiterate, if your password is 'password', it isn't a password.


Passwords have their own stories, and I'm asking to hear them: Ian Urbina

Unlock your suitcase with a smartphone swipe