No end of year would be complete without a top ten list and SplashData has just published their 8^th Annual Worst Password list.

In their announcement, SplashData says:

“After evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords. Using these passwords will put anyone at substantial risk of being hacked and having their identities stolen.

While terrible passwords such as “123456” and “password” continue in the #1 and #2 spots, respectively, President Trump debuted on this year’s list with “donald” showing up as the 23rd most frequently used password.”

Reading like a music chart, we see a new entry at number 8 for ‘sunshine’ while ‘admin’ drops one place from 11 to 12. The full top 25 are shown below:

Top 25 most used passwords in 2018

1    123456      (Rank unchanged from last year)
2    password    (Unchanged)
3    123456789   (Up 3)
4    12345678   (Down 1)
5    12345   (Unchanged)
6    111111   (New)
7    1234567   (Up 1)
8    sunshine   (New)
9    qwerty   (Down 5)
10    iloveyou   (Unchanged)
11    princess.  (New)
12    admin.  (Down 1)
13    welcome   (Down 1)
14    666666   (New)
15    abc123   (Unchanged)
16    football   (Down 7)
17    123123   (Unchanged)
18    monkey   (Down 5)
19    654321   (New)
20    !@#$%^&*   (New)
21    charlie   (New)
22    aa123456   (New)
23    donald   (New)
24    password1   (New)
25    qwerty123   (New)

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 123456.

There is a more useful side to all this frivolity and head shaking for system administrators. SplashData is offering a free download of the 100 most used passwords they have discovered which any security-minded administrator would be wise to load into their password blacklist if your systems support it. For more information go to: https://www.teamsid.com/100-worst-passwords/

By blacklisting certain words and strings, you can prevent your users setting a well-known password which is more easily guessed.  Best practice is to use a password manager to generate strong and complex passwords for every login. Setting password blacklists provides a useful safety net for when the usual complexity rules cannot be enforced.

How to configure password blacklists

For Windows try Microsoft Azure AD which now supports password blacklisting : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-configure

Or third party solutions such as ManageEngine for traditional on premises Active Directory systems: https://www.ManageEngine.co.uk/products/self-service-password/

On Linux try the Pluggable Authentication Module (PAM): http://www.linux-pam.org/Linux-PAM-html/sag-pam_cracklib.html