SplashData's annual list shows people still using easy-to-guess passwords

Oct 25, 2012 by Bob Yirka weblog

(Phys.org)—In what has become an annual tradition, SplashData, a company that makes productivity applications for smartphones, has released a list of passwords it claims are the most commonly used to access online applications. The list is compiled by the company using passwords that hackers have posted on various web sites to illustrate the ease with which online accounts can be cracked. SplashData refers to the top 25 passwords as the "worst passwords of the year."

The top three haven't changed from last year: "password," "123456" and "12345678." SplashData indicates that many people fear forgetting their password more than they fear hackers breaching their account. Others, perhaps responding to reports of multiple recent website hacking incidents, have resorted to trying easy-to-remember (but still easy-to-hack) such as "Jesus," "mustang," "welcome" and "ninja."

In response to the posting by SplashData, several computer security companies have posted tips to users aimed at encouraging protection of accounts with stronger passwords. Most companies persist with the tried-and-true standard of suggesting users choose passwords that mix numbers and letters, are at least eight characters long, and include punctuation characters. Experts also suggest users choose different passwords for different sites to prevent hackers from accessing all of their accounts if they happen to gain access to their single-use password. A third option is for users to choose difficult-to-remember passwords and then use a password manager application (such as SplashID Safe made by SplashData), which tracks all passwords and then enters them automatically when users log into to registered sites.

SplashData encourages people—especially those who use the same password for access to online entertainment sites such as and , and those sites that hold important bank and —to take the task of choosing a password more seriously. The company also suggests that people who are currently using one of the "listed" passwords change it immediately, or risk having their account compromised.

Explore further: Meerkat vs. Periscope: Live-streaming app battle & buzz

add to favorites email to friend print save as pdf

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Facebook adds 'app' passwords to site security

Oct 27, 2011

Facebook is ramping up security by giving people the option of setting passwords for games or other third-party applications added to pages at the leading online social network.

Recommended for you

Meerkat vs. Periscope: Live-streaming app battle & buzz

13 hours ago

Download Periscope, Twitter's just-launched live video-streaming app, and you'll find people broadcasting all sorts of mundane stuff: waiting for AT&T to fix their wiring, getting out of bed in Silicon V ...

Twitter chief vows to help Indonesia fight disasters

Mar 26, 2015

Twitter chief Dick Costolo said Thursday the microblogging site planned to work with Indonesian authorities to warn people about natural disasters that regularly hit the archipelago, from earthquakes to volcanic ...

EU unveils ambitious overhaul of digital economy

Mar 25, 2015

The EU unveiled an ambitious plan to overhaul Europe's fragmented digital landscape on Wednesday that would allow Europeans traveling in other bloc countries to get their Netflix film fix or watch BBC iPlayer ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Oct 25, 2012
Password hacking is only possible because websites allow millions of login attempts rather than increase the duration with each attempt. My bank allows only three (even if identical but wrong) before you are locked out and need to request a new one sent in snail mail.
not rated yet Oct 25, 2012
A good point. A real person need seconds to read notification that their password was incorrect. Having a 5 second delay before you could try again wouldn't really impact a living, breathing person.

It would slow a computer to less than 20,000 guesses per day.

The more times a person makes an incorrect guess, the more time they would need to think about what password they should have entered. Add 5 seconds to the interval for each incorrect password and the number of allowable attempts falls to 187 for the first 24 hours and 264 in the first 48 hours. An interesting thought . . .
not rated yet Oct 25, 2012
We also need the ability to use long passwords (multiple words with spaces between). These can be easy to remember but hard to crack. See http://xkcd.com/936/ for an example.
not rated yet Oct 26, 2012
There is a guy in Norway who's toddler aged son was playing with his iPhone and the kid managed to attempt thousands of logins simply by mashing the keys. Dad thought it was ok as the iPhone was "off", but thanks to the incorrect login time penalty, he has to wait something like 1.5 years until he can attempt to login again.

The penalty is apparently hardcoded and permanent. Apple's (not at all surprising) response? Buy a new iPhone.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.