For better or worse, some things never change. Unfortunately, that includes consumers’ passwords. SplashData’s sixth annual worst passwords list has many of the same passwords from previous years, which proves that consumers either don’t care about their passwords or they aren’t too concerned about cybersecurity. We’ve covered SplashData’s lists before, and the unfortunate reality is that we’ve seen a lot of repeat offenders over the years — and the trend is continuing this year. Still, SplashData’s yearly list provides a great opportunity to talk about cybersecurity, which is why we’re detailing some of 2018’s worst passwords and discussing the nature of passwords as a security measure in 2019.

2018’s worst passwords are …

SplashData’s list includes 100 of the worst passwords, but we opted to only note the 10 worst passwords as well as their rankings with respect to last year’s list:

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 123456789 (Up 3)
  4. 12345678 (Down 1)
  5. 12345 (Unchanged)
  6. 111111 (New)
  7. 1234567 (Up 1)
  8. sunshine (New)
  9. qwerty (Down 5)
  10. iloveyou (Unchanged)

Want to see if your password made the list? View SplashData’s full list of the 100 worst passwords of 2018 here.

What can we learn from 2018’s worst passwords?

Although there are many “new” passwords on the list this year (especially in the top 25), many of these are variations of existing patterns. For example, entries one, three, four and six are just the first five to nine numbers on a keyboard, while the always popular “qwerty” is the five letters on the top left of the keyboard. The thing we found the most surprising was the fact that 2018’s list didn’t include as many pop-culture references as in years past. Although terms like “donald,” “starwars” and “harley” appeared, these passwords weren’t as high on the list as last year’s pop culture passwords.

As serious as password security is, consumers and the Internet at large can’t help but find humor in SplashData’s lists. The company has even included gifs with this year’s list to illustrate the ridiculousness of certain entries. While the idea of someone using “password” or “trustno1” to secure any account is funny, this humor might obscure the technical reasons why these passwords aren’t as effective in today’s cybersecurity environment.

Why passwords fail

Last year, we talked about how tools and new techniques are democratizing the art of hacking by making it accessible to non-coders. This isn’t just true for malware and network attacks, but it’s true for cryptography (coded messages) as well. Programs known as password crackers have become increasingly common and can make trivial work of breaking passwords. To understand how crackers defeat passwords, it’s important to understand a little bit about how passwords work.

We’re all familiar with the login process most commonly deployed on the Internet — we type in our username and our password and are granted access to a site when we’ve entered our credentials correctly. However, there’s a lot more going on behind the scenes. In the earliest days of the Internet, it used to be that passwords were stored in plaintext (that is, stored as typed by the user — e.g., “password” would be stored as “password”) once they were created, and a site would compare the password a user entered to that stored in its database. Though this worked well for verifying a user’s identity, when database breaches became more common, this gave hackers wholesale access to every user’s password. Today, an irreversible mathematical operation is performed on any password created by a user to generate a value that’s stored in a site’s database. This value, called a hash, is first created and stored whenever a user makes a password. A hash is also generated on subsequent logins. Hashes generated on login are compared to those already stored on the site, and in the instance a database is breached, only hashes are leaked. Because hashing is a one-way process, it’s difficult for hackers get a password from a hash made with today’s standard security processes.

That’s where password crackers come in. Crackers simulate a user’s password inputs using various techniques. One common technique, called a brute-force attack, tries nearly every possible combination of keys. Brute-force attacks are essentially Hail Mary gambits, but they are surprisingly effective, in part due to the simple passwords many people use. Passwords with greater complexity, and more importantly, more length are harder to brute force because of the amount of time it takes to discover these combinations. This is why most reputable sites now have common alphanumeric password standards designating that passwords be at least eight characters in length. Keep in mind that many of these requirements are bare minimum-security requirements and that there are password crackers today which can quickly break through passwords that less than 10 characters long, regardless of their complexity.

All of this alone would be bad news for anyone using one of the passwords above, but basic brute-force attacks aren’t the only option at hackers’ disposal. Most cracking programs can also perform what are known as dictionary attacks by looking up common words and phrases (as well as any alterations to these words) and implementing them in brute-force attacks. Dictionary attacks can also be combined with password lists, which are exactly what they sound like — full lists of commonly used passwords discovered in breaches and leaks. This means anyone using passwords like “password1” effectively don’t have passwords because today’s hacking tools instantly reveal these extremely common choices.

It is worth briefly noting that there are other types of attacks password crackers can perform, too. For example, in some instances, hashes can be “reversed” using what are known as rainbow tables, however, these require large amounts of space and computational power. Rainbow tables are also defeated by more sophisticated administrative security practices. This is why it’s important that consumers stick to using websites with good cybersecurity and encryption practices. This is, of course, easier said than done as we learned from the Equifax breach.

Are secure passwords even possible?

Talk of brute-force attacks and password lists might have you feeling overwhelmed or even defeated, but there are a few things you can do that’ll go a long way toward improving your online security.

Think beyond characters. One solution to strengthen passwords is to use a random string of words instead of a random string of characters. For example, you can plug numbers and special characters into something like “coffeerugfireplacehouse” to make a pretty strong password. This method makes sense from a security standpoint, as words are longer than characters and the human brain is better at remembering random words than it is at remembering random character strings. If you choose to create your passwords in this way, make sure not to reuse phrases.

Consider a password manager. While the above advice makes sense, for many users, the most secure solution is to get a password manager, as these allow you to generate passwords of any length and complexity without having to memorize them. This security practice is likely to become a more accessible solution, considering many systems, like Apple’s iOS, provide basic password management features by default.

Use multifactor authentication. As important as strong passwords are, using two-factor authentication will protect your account even if your password is compromised. That’s because two-factor authentication requires your phone, an app or a hardware device to confirm your logins, which means someone will need your password and the one-time generated code to get into your account.

Cybersecurity can be an intimidating topic but staying safe online doesn’t have to be hard. Keep reading our cybersecurity blog for more technology and online security tips.