Gizmodo recently published a list of the most popular passwords of 2014, smugly deriding those morons who deploy poorly conceived credentials. Ironically, it may bear reminding that Gizmodo is owned by Gawker Media, who became the poster-child for poor password management in 2010 when attackers compromised the networks of Gawker and decrypted nearly 200,000 terrible passwords. Wouldn’t it be an interesting exercise to compare the object of Gizmodo’s current scorn with its readership circa 2010?
Interestingly, 16 of the 25 passwords on this year’s list of popular (and therefore ineffective) passwords were also on the list of most commonly used passwords from the Gawker data breach in 2010. If we look at the top 50 common passwords revealed in the Gawker breach, there are only four new passwords that aren’t included on both lists. So if your password is “access” or “mustang” or the hilariously puerile “696969” then your actually doing a better job than most people.
Tweet
Little has changed from the @Gawker #breach to this year‘s list of bad #passwords[/twitter_pullquote]
The list itself is an aggregation of credential containing data leaks from the year put together by the security firm SplashData. As you can see below, SplashData puts one of these lists together each year and notes movement up and down and onto the list next to each password. I have put an asterisk next to any password that also showed up in the top 50 of Gawker’s passwords.
- 123456 (No change)*
- password (No change)*
- 12345 (up 17)*
- 12345678 (down one)*
- qwerty (down one)*
- 123456789 (no change)
- 1234 (up nine)*
- baseball (new)*
- dragon (new)*
- football (new)*
- 1234567 (down four)*
- monkey (up five)*
- letmein (up one)*
- abc123 (down nine)*
- 111111 (down eight)*
- mustang (new)
- access (new)
- shadow (unchanged)*
- master (new)*
- michael (new)*
- superman (new)*
- 696969 (new)
- 123123 (down 12)*
- batman (new)*
- trustno1 (down 1)*
It’s interesting that 80 percent of the passwords listed as “new” were actually in the top fifty Gawker passwords more than four years ago. It’s also interesting that “123456789” is not new to SplashData’s list, but it did not appear in the infamous Gawker top 50.
The 25 most popular passwords of 2014 are a reminder that we're all morons: http://t.co/uIT1t3dYRG pic.twitter.com/JhDByxjWep
— Gizmodo (@Gizmodo) January 20, 2015
To be fair, Gawker’s spilled passwords were encrypted. It just so happens that 188,000 of them were so ill-conceived as to be easily decrypted based on their hashes. Encrypting password stores is sort of a bare-minimum security requirement. What we learned from the Gawker hack is that even the supposedly tech savvy among us are bad at password management.
The moral of this story is neither new nor particularly revelatory: People are despairingly bad at passwords. More broadly, people are despairingly bad at security as a whole. This is why the tech and security industries need to take matters into their own hands. You can’t blame users for data breaches like the ones that inspired this list or led to the leaking of thousands of intimate celebrity photos.
I can tell you and, in fact, I have told you how to create a strong and memorable password. It’s really not rocket science. Everyone pretty much understands what makes a good password. The reality is that we know the risks associated with poor passwords and we scoff at them; we know how to make good passwords but we are too lazy to manage various unique passwords across as many logins.
This is why efforts like “Digits” by Twitter and TouchID by Apple and other biometric or SMS-based or two-factor schemes are so promising. We know they aren’t perfect, but they offer us the opportunity to experiment with new forms of authentication that could potentially usher us away from the most imperfect form of authentication: the password.