For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.
While having "123456" as your password is quite bad, the other terms found on a list of Top 100 Worst Passwords of 2017 are just as distressing and regretful.
Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah). But, by far, the list was dominated by names, with the likes of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95), and Martin (#96), showing up on the list.
List compiled from five million leaked credentials
The list was put together by SplashData, a company that provides various password management utilities such as TeamsID and Gpass. The company said it compiled the list by analyzing over five million user records leaked online in 2017 and that also contained password information.
"Use of any of the passwords on this list would put users at grave risk for identity theft," said a SplashData spokesperson in a press release that accompanied a two-page PDF document containing a list of the most encountered passwords. This is because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as "dictionaries" for carrying out account brute-force attacks.
Attackers will use the leaked terms, but they'll also create common variations on these words using simple algorithms. This means that by adding "1" or any other character combinations at the start or end of basic terms, users aren't improving the security of their password.
Advising users on best password policies is a doctoral paper in its own right, but for the time being, users should look into using unique passwords per account, possibly employing a password manager, using more complex passwords, and above all, staying away from the terms below.