PHP

The Worst Passwords of 2011

Craig Buckler
Share

Are you still using “password” to protect access to your vital administration systems? Of course not but, according to software security company SplashData, it’s still at #1 in the dumb password chart. Here’s the “top” 25 compiled from lists of stolen passwords posted online:

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

If your password’s on this list, perhaps it’s time to reconsider your security.

But, before we start sneering at user stupidity, are we partly to blame? Nearly every web application we create requires a password and they contribute to the problem. Despite the rise of OAuth and similar solutions, even infrequent web users probably require a dozen passwords for different sites. It doesn’t matter how much advice or education we give: people will always choose the easy option and select a simple password they can remember.

Overly-Complex Password Policies

Some systems attempt to solve the bad password problem by implementing certain lengths, requiring at least one number and making users change their password every few days. The worst examples limit the number of characters and don’t permit unusual characters such as punctuation. Effectively, they’re handing hackers a password “template” … and they rarely prevent people choosing “password01”, “password02”, etc.

Passive Security Education

With the possible exception of minimum-length passwords for financial and government services, users should generally be permitted to enter what they like. Good systems will encrypt passwords so there’s no reason to limit the string length or the characters which can be entered.

Red-amber-green indicators for weak passwords are generally good, although it’s fairly abstract and I’ve seen many users ignore the warning. Perhaps a more informative alternative could highlight the consequences of a poor password, e.g.

A hacker could access your account in 3 seconds.

Unfortunately, passwords remain our best option for web security. Unless someone knows of a better fool-proof alternative?