Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  2018 Top 25 Worst Passwords Revealed
NextPrevious
top 10 weak password 2018

2018 Top 25 Worst Passwords Revealed

News | 20 December, 2018 | 0

No end of year would be complete without a top ten list and SplashData has just published their 8th Annual Worst Password list.

In their announcement, SplashData says:

“After evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords. Using these passwords will put anyone at substantial risk of being hacked and having their identities stolen.

While terrible passwords such as “123456” and “password” continue in the #1 and #2 spots, respectively, President Trump debuted on this year’s list with “donald” showing up as the 23rd most frequently used password.”

Reading like a music chart, we see a new entry at number 8 for ‘sunshine’ while ‘admin’ drops one place from 11 to 12. The full top 25 are shown below:

Top 25 most used passwords in 2018

1    123456      (Rank unchanged from last year)
2    password    (Unchanged)
3    123456789   (Up 3)
4    12345678   (Down 1)
5    12345   (Unchanged)
6    111111   (New)
7    1234567   (Up 1)
8    sunshine   (New)
9    qwerty   (Down 5)
10    iloveyou   (Unchanged)
11    princess.  (New)
12    admin.  (Down 1)
13    welcome   (Down 1)
14    666666   (New)
15    abc123   (Unchanged)
16    football   (Down 7)
17    123123   (Unchanged)
18    monkey   (Down 5)
19    654321   (New)
20    [email protected]#$%^&*   (New)
21    charlie   (New)
22    aa123456   (New)
23    donald   (New)
24    password1   (New)
25    qwerty123   (New)

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 123456.

There is a more useful side to all this frivolity and head shaking for system administrators. SplashData is offering a free download of the 100 most used passwords they have discovered which any security-minded administrator would be wise to load into their password blacklist if your systems support it. For more information go to: https://www.teamsid.com/100-worst-passwords/

By blacklisting certain words and strings, you can prevent your users setting a well-known password which is more easily guessed.  Best practice is to use a password manager to generate strong and complex passwords for every login. Setting password blacklists provides a useful safety net for when the usual complexity rules cannot be enforced.

How to configure password blacklists

For Windows try Microsoft Azure AD which now supports password blacklisting : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-configure

Or third party solutions such as ManageEngine for traditional on premises Active Directory systems: https://www.ManageEngine.co.uk/products/self-service-password/

On Linux try the Pluggable Authentication Module (PAM): http://www.linux-pam.org/Linux-PAM-html/sag-pam_cracklib.html

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, cyber security news

Related Post

  • apple virus

    Novel application package allows Windows malware to target MacOS and Linux

    By Mark Faithfull

    In the eternal arms race between malware creators and security vendors, a novel new tactic has emerged.  Trend Micro has recently reported that Windows executables (.EXE files) are being created that target non-windows platforms suchRead more

  • QNAP security flaw

    Active attack against QNAP NAS devices

    By Mark Faithfull

    The popular Network Attached Storage devices from Taiwanese vendor QNAP are the subject of an active malware attack.  QNAP has issued a security advisory warning that the attack is underway and offering an updated versionRead more

  • Laptop data breach in Norway

    Huge attack on Norway’s health care systems may have exposed half the population

    By Ian Reynolds

    A massive security breach in Norway’s Health South-East Regional Health Authority may have exposed the personal health records of 2.9 million people. Covering ten counties, Health South-East RHA is responsible for the health care ofRead more

  • Hyatt Hotels - security breach

    Cardholder Data Stolen in Latest Hyatt Hotels Security Breach

    By Ian Reynolds

    The global hotel chain Hyatt Hotels informed their customers this week that their credit card details may have been stolen as a direct result of a recent security breach. Chuck Floyd (Global President of OperationsRead more

  • Rockwell Automation Critical Vulnerability in PLC

    By Mark Faithfull

    Programmable Logic Controllers manage industrial systems of all kinds, from oil rigs to vaccine production and one of the leading manufacturers of PLC is Rockwell Automation. A bad-as-it-gets (CVSS 10) vulnerability has been discovered thatRead more

NextPrevious

Recent Posts

  • Rockwell Automation Critical Vulnerability in PLC
  • Exchange 0-day exploits need patching today
  • What is a pass the hash attack?
  • VMware patches critical RCE in vCenter Server
  • What is a dependency confusion attack?

Tags

Android Apple Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS DNS Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals Tomcat TPM Unix vulnerability management web applications web browsers wireless

Archives

  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam