The worst passwords of 2016 are as lazy as ever

Please, stop using "123456."
Written by Charlie Osborne, Contributing Writer

It seems that password security simply doesn't work.

Many of us rely on simple, easy-to-remember strings of characters and letters, including strings found on your keyboard such as "1234567" or "qwertyu."

While these strings are easy for you to remember, they are also no trouble at all for attackers to brute-force hacking techniques -- or little more than a guess or two -- to compromise your online accounts and take over your digital identity.


Online vendors and agencies are getting up to speed with these practices and now often offer or require two-factor authentication which connects a mobile phone to your account -- or will ban soft, easy passwords like this altogether.

But as many are, many are not -- and it is both companies and individuals that are at fault for lax security at the first stage.

According to Keeper Security's annual list of commonly used passwords, we still haven't got the message.

The security company's researchers were left shaking their heads in despair as they discovered that the most common passwords used to protect our accounts have not changed much at all -- and "123456" is still very much in existence.

The company scoured through 10 million passwords which became public domain over the year thanks to data breaches.

Keeper Security found that almost 17 percent of users insisted on using "123456" to 'protect' their accounts from intrusion, while "123456789," "qwerty" and "password" also make an appearance in the top 25 worst passwords found -- which, sadly, are also the most common.

In total, four of the top 10 most common passwords were six characters or shorter. Permitting this to happen at all is the fault of online vendors and operators, and on average, it only takes seconds to brute-force these kinds of accounts with such poor security.

See also: LastPass brings free password management to all your devices | Passwords have a dopey equal in Things on the Internet | YubiKey for Windows Hello brings hardware-based 2FA to Windows 10 | How to eliminate passwords? It can't be done

There is an interesting exception, however, which is the password "18atcskd2w," the 15th most common password discovered in the data. According to security researcher Graham Cluley, these accounts were created by bots designed to spread spam on online forums.

"We can criticize all we want about the chronic failure of users to employ strong passwords," Darren Guccione, CEO and co-founder of Keeper Security said. "After all, it's in the users' best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list makes it clear that many still don't bother."

"While it's important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them," Guccione added.

CES 2017: The best mobile tech, PCs and laptops on display

Editorial standards