The most common passwords of 2016

Looking at the list of 2016’s most common passwords, I can’t stop shaking my head. Nearly 17 percent of users are safeguarding their accounts with “123456.” What really perplexes me is that so many website operators are not enforcing password security best practices.

My firm, Keeper Security, scoured 10 million passwords that became public through data breaches that happened in 2016. A few things jumped out at us:

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":2151502,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"D"}']

• The list of most-frequently used passwords has changed little over the past few years. That means user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.

• Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators need to stop prioritizing convenience over security.

• The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.

• Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.

We can criticize the chronic failure of users to employ strong passwords all we want. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.

Without further ado, here are last year’s top 25 most common passwords:

[A version of this story originally appeared on the Keeper Security blog.]

Darren Guccione is CEO of Keeper Security. He has extensive experience in product design, engineering, and development and leads product vision, global strategy, customer experience, and business development at Keeper.