SplashData, makers of the SplashID Safe password management software, has just published its list of 25 worst passwords of 2013. Climbing up the list from second to first is "123456", switching places with 2012's champion, "password", now at second place.
2013's list of shame was largely influenced by the recent security breach that happened with Adobe's database last October. This attack yielded, as of the last report, around 150 million account names and hashed passwords. This incident has brought to light, among other things, the need for better and stronger practices when it comes to keeping passwords secure.
Password management is a tricky situation. Human nature's propensity to be lazy has produced some of the world's most amusing and most tragic, from a security point of view, passwords. Despite modern advice or even coerced restrictions on what passwords will be accepted when creating an new account, users have still managed to make use of passwords that may be easy to remember but are also extremely easy to guess, especially by brute force.
The most common passwords used are those that involve adjacent keys like "123456" or "qwerty", depending on the number of required characters. Others are just a tad smarter, employing both letters and numbers as suggested by sign up forms, like "abc123". And there are others that incorporate the site or app's name, like "adobe123" or, worse, "photoshop". And, of course, there's the ever popular "admin" that is used by default on some systems and remains forever unchanged.
SplashData offers a few tips on the kind of passwords to create. Some are probably well known already, like mixing a characters with other types of symbols when possible or using different passwords for business and pleasure. Some are just plain common sense, like avoiding common words or avoiding using the name of the service or product. Creating non-trivial passwords that are also easy to remember is definitely not a simple task. Luckily, today we have services and apps that help generate, remember, and manage those passwords, like SplashData's own SplashID Safe.