Home > IT Blogs > Security Corner > What you can do about the 25 worst passwords of 2012
>>VIEW ALL POSTS  

Security Corner

«
»
Dec 30 2012   2:37PM GMT

What you can do about the 25 worst passwords of 2012



Posted by: Ken Harthun
Password best practice, passwords, Security

Every year, I take a look at the published list of worst passwords. I gave you this list back in October, but it occurred to me that there is something you can do about it if, heaven forbid, you are using any password on this list. Surprisingly, the list changes little from year to year, usually with just a few new ones being added. I guess people don’t change their passwords very often, if at all.Here is an excerpt from a TIME report posted at CNN Tech:

SplashData, which makes password management applications, has released its annual “Worst Passwords” list compiled from common passwords that are posted by hackers. The top three — “password,” “123456,” and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1,” and “welcome.” Other passwords have moved up and down on the list.

And here is the list showing what has changed:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

So, what can you do about it if you are using any of these passwords? There is a simple fix: Append or prepend a pattern of characters that you will remember. I call this a Personal Password Pad and discussed it in “A simple password recycling method” back on January 16, 2012. You don’t have to come up with a bunch of different ones as that article suggests, though. You could use the method I suggest in “Another way to create easy-to-remember complex passwords.”

You will want to use a minimum of four characters for your pad. For example, let’s say you choose a year: 1988. Your pad could be !(** or 1(8* or !9*8. You get the idea. Now, just stick that on the front or back or both of the worst password, e.g., !9*8password1, and you have a strong, easily remembered password that will probably never show up on any such list.

 

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment:

ChrisLeonard  |   Jan 2, 2013  2:02 PM (GMT)

I use dates that are personal to me, but that no one else knows, and then play around with the order.  There’s no reason to use an obvious password.  I’m surprised that mustang and shadow are so popular.


 

LeChat  |   Jan 2, 2013  4:31 PM (GMT)

Like so many people I am frustrated with the endless list of user ids and passwords that I need for daily life.  I think one of the best solutions to weak passwords is to agressively and without exception prosecute anyone that commits a felony by violating security.  I am beyond frustrated by allowing the criminals in our society to set the standards that impose the need for such stringent, inconvient security measures on us all.  Just for a minute think about the amount of time and money that is spent on security of all kinds of data security.  Just for a moment think about the amount of time that we all spend daily dealing with security issues.  This wasted time is passed right along to my clients with absolutely no benefit to them.  If it takes me 2 hours to revise a legal document I can assure you that probably 5-10 minutes of that time involves some form of security measures.  This need is generated by the criminal element in our society.  Prosecute these parasites to the fullest extent of the law on the very first offense.  If the consequenses are severe enough and certain perhaps,  the need for such stringent security will diminish.  On the firest offense impose a mandatory jail sentence with a fine that will take them the rest of their natural born days to work off.   Little Johnny sitting in his dorm room feeling very clever will think twice about hacking into a database if he knows that his entire future is a stake.  Put that intellegence to use doing something productive.  Thank you for allowing me to vent!  Happy new year!


 

Michael Tidmarsh  |   Jan 2, 2013  7:10 PM (GMT)

Every time I see this list, it reminds me of the Spaceballs password scene! A great example of why you shouldn’t have one of these passwords.


 

TomLiotta  |   Jan 7, 2013  5:24 AM (GMT)

This need is generated by the criminal element in our society.
 
It’s only partly generated by the “criminal element”, perhaps not even half. Security in an application is not only about protection from malicious intent but also about a ‘security’ safety net for accidents and other non-malicious events.
 
Many of us have become too deeply conditioned to think in terms of deliberate damage. We forget about accidental. We need to secure apps and app objects from internal, accidental deletions and changes more than just from external threats. The authorities and permissions are needed whether there are “criminals” or not. Any attitude to the contrary is a danger to the assets being protected.
 
The time and attention still must be given.
 
Tom