Worst passwords list is out, but this time we’re not scolding users

by Lisa Vaas of Sophos

Oh, those incorrigible password abusers. After all these years of being shamed (if they cared or were paying attention), they’re still using “123456” as a password. This year, according to SplashData’s annual worst password list, that stale cracker came in at No. 1.


“password” was the No. 2 dust bunny to roll out from under the bed.


“Donald” made it onto this year’s list, at No. 23, as either a feeble nod to POTUS No. 45 or to the Disney duck. Or both.

This is what we always say: For shame. Unleash the cybersecurity Harpies, we say; let fly the mocking winged monkeys, etc. etc., yadda yadda yadda. The security industry, and the media that covers it, keeps trying to get across the message that simple passwords like that are too easy to guess: we’re talking about fractions of microseconds for a brute-force attack. And so, every year around listicle time, we suggest the fix of password composition policies.

Those are sets of rules such as “your password should be at least eight characters long and contain at least one uppercase letter, one number and one special character”. They’re popular because the rules are easy to check, and they increase the entropy of your password (which can be important, but it’s not the same thing as password strength).

Well, the shtick is getting old. As we’ve said before, composition rules are annoying (to everyone, even to people choosing really strong passwords); they measure something that isn’t password strength; and they restrict the pool of possible passwords (the “password space”), which just makes it all the easier for password crackers.

More to the point, while it’s true that, as SplashData CEO Morgan Slain says, “using your name or any common name as a password is a dangerous decision,” blaming the user clearly isn’t working. If it were, the same passwords wouldn’t keep showing up, year after year.

For this year’s list, SplashData says it evaluated more than five million leaked passwords. But it shouldn’t be surprising that the enormous cache contained so many celebrity names, terms from pop culture and sports, and simple keyboard patterns. They’re easy to remember. Of course people are going to use them…

if websites and services keep allowing them to be used.

How about websites stop allowing 123456?!

There is another option. It’s not going to relieve our carpal tunnel, because it still involves finger-wagging. The option is for websites and services to simply stop users from choosing a password that’s on the list of the worst passwords. Or, say, disallow creating any of the 10,000 worst passwords.

The lists of worst passwords are brought to us courtesy of all the websites and services that accept feeble passwords. Disallow it, and you’ll never contribute to a list like this again.

Were your website/service to use zxcvbn – a password strength meter made by Dropbox (also used by WordPress and available to us all, for free) that actually tries to measure password strength – your users would have been warned if they’d chosen one of those terrible passwords.

Then again, if your website/service makes two-factor authentication (2FA) mandatory, then users would have been well-protected even if they’d chosen one of the awful passwords.

If your website/service uses rate limiting, then even the weakest password gets a serious upgrade. Limiting the number of times a user can try a wrong password means that attacks take a long time. Attackers have to be far more circumspect about how many guesses they make: just ask the FBIabout how inconvenient, or impossible, it can make the task of forcing your way in past an unknown login.

None of this means that users are off the hook when it comes to picking a strong password, though. There’s no way to know that their passwords are being securely stored, and they have no control over the measures that sites use to defeat online guessing – aside from adopting 2FA whenever it’s available.

This all means that the onus is still on users to make sure that every password they choose is unique and strong enough to withstand an offline guessing attack. And it means that yes, websites still have to promote a password composition rule: make each password a random collection of at least 14 letters, numbers and special characters.

And users, if you can’t remember all of your passwords – and how many of us can? – you can always rely on a password manager like FaceGuard to keep them safe.