Get the Tech News Flash Newsletter from TechNewsWorld » View Sample | Subscribe
Welcome Guest | Sign In
ECommerceTimes.com

Report: Dumb Password Use on the Decline

By John P. Mello Jr.
Jan 21, 2015 2:23 PM PT

Millions of Net surfers use obvious passwords to log on to websites, but their numbers appear to be declining.

Report: Dumb Password Use on the Decline

SplashData on Tuesday published its annual list of the top 25 most common -- thus worst -- passwords leaked online. In the top spot was "123456," followed by "password" and "12345."

Both "123456" and "password" claimed the top spots in 2013, too, but "12345" was in the No. 17 spot last year.

In addition to consecutive numbers, lazy password creators used obvious letter combinations. "Qwerty" was No. 5 on the list. Superheroes also ranked -- "superman" placed 21st and "batman," 24th. Sports were popular too -- "baseball" was listed at No. 8 and football at No.10.

"Sports teams, sports names, people's names, pets' names -- those are always popular passwords, which is why they should be avoided," SplashData CEO Morgan Slain told the E-Commerce Times.

Silver Lining

While the security community may be disheartened by the SplashData findings, there may be a silver lining.

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years," said security expert Mark Burnett, who collaborated on the list.

"The good news is that it appears that more people are moving away from using these passwords," he observed.

"In 2014, the top 25 passwords represented about 2.2 percent of passwords exposed," Burnett noted. "While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

In the past three years, the top 25 common passwords have been around 4 percent of the exposed passwords gathered by SplashData, CEO Slain said, but on other lists compiled by researchers, the common passwords have reached as high as 25 percent of the passwords studied.

SplashData compiled its top 25 worst list from some 3.3 million passwords posted to the Internet by website hackers. That may influence the strength of the passwords in the sample.

"These sites probably don't have the best policies for forcing people to choose secure passwords," Slain explained. "That's why you end up with passwords like '12345,' which most secure sites would not allow."

Convenience Trumps Security

In addition, there's no way to determine from the passwords gathered by SplashData how many times a popular password like "123456" was used as a throwaway password -- a password used to access a website that a user intends to visit infrequently and won't be giving any sensitive information.

"A lot of people use throwaway passwords, but where that becomes an issue is when people use those same passwords for their more sensitive logins," Rob Dinuzzo, a marketing manager at Siber Systems, told the E-Commerce Times.

Why do so many people use and reuse simple passwords online despite warnings not to do so?

"Many times it's for convenience," said Becky Frost, senior manager for consumer education at ProtectMyID.

"People will forego security for convenience," she told the E-Commerce Times.

On the other hand, if fewer websites demanded passwords, it could make it more convenient to create and remember passwords for websites that really needed them. That's unlikely to happen, however.

"You see more and more websites do it, because they're trying to gather information about their users so they can sell that information to advertisers," Abine CEO Rob Shavell told the E-Commerce Times.

"Even though from a user's view there's no need for a website to require a username and password, the website needs it because it's trying to make more money from the attention the user gives the website," he explained.

Passwords as Cockroaches

Lists like the one compiled by SplashData would be unnecessary if the need for passwords were to disappear -- something that's been predicted for years.

"In the long run, you will find new technologies replacing the password, including biometric identification, but that process is going to take longer than people assume it will," SplashData's Slain said. "The password is so ubiquitous now it's going to take time to replace it with new technology."

Others find the password's position in security more permanent.

"I think passwords are here to stay. All the futuristic technologies have big problems associated with them," said Abine's Shavell.

"The best solution to the problem is already here -- not in the future. It's called a 'password manager,'" he maintained.

"Passwords, like cockroaches, will likely always be with us," Open Identity Exchange Chairman Don Thibeau told the E-Commerce Times -- "ugly, useless and undermining our privacy and security."


John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.


Women in Tech
Which type of articles do you find most useful when reading about technology?
Analysis / Case Studies
Breaking News
Features / Special Reports
"How To" Tips and Advice
Opinion and Commentary
Reviews
Q&A / Interviews
Women in Tech