The Worst Passwords of 2018 are Just as Dumb as You'd Expect;
"Password" will never be a good password. Period.
[...] It doesn't look like we're getting any smarter about our passwords.
On Thursday, software company SplashData released its annual list of the Top 100 worst passwords, and it includes some pretty obvious blunders. Coming in at No. 1 is, you guessed it, "123456," and in second place is, yup, "password." This is the fifth year in a row these passwords have held the top two spots.
Newcomers to the list include "666666" (No. 14), "princess" (No. 11) and "donald" (No. 23).
[...] To compile its list, SplashData evaluated more than 5 million leaked passwords, mostly from users in North America and Western Europe. The company estimates that about 10 percent of people have used at least one of the Top 25 worst passwords, and about 3 percent have used "123456."
[...] Here are the 25 worst passwords of 2018, according to SplashData:
1) 123456
2) password
3) 123456789
4) 12345678
5) 12345
6) 111111
7) 1234567
8) sunshine
9) qwerty
10) iloveyou
11) princess
12) admin
13) welcome
14) 666666
15) abc123
16) football
17) 123123
18) monkey
19) 654321
20) !@#$%^&*
21) charlie
22) aa123456
23) donald
24) password1
25) qwerty123
(Score: 2) by looorg on Friday December 14 2018, @02:18PM (3 children)
How do they rank them? I just skimmed the article really but I can't find anything about how they rank them, as in how do they pick the worst one. Is it frequency (as in how many times it occurs in the datasets they have gathered) or what?
After all (5) 12345 should be a worse password then (1) 123456. After all it's at least a character shorter, so even if you don't use some kinda dictionary attack but instead brute force it then it should find (5) before (1) -- even tho it's probably just a matter of seconds but still. Naturally one would assume that the common once, or just words that are found in a normal dictionary would be worse then words that are not but on the other hand if you bruteforce guess then it might be all about length and if you cram in some special-characters or not. So in that regard (24) password1 is a better then (2) password. Bruteforce it's an extra character but if you run a dictionary or wordlist attack it might not matter all that much.
(Score: 2) by nobu_the_bard on Friday December 14 2018, @03:17PM (1 child)
Yeah I couldn't find any data about their sources.
For example, if this data is culled from websites that had plaintext password leaks, then it's data that only represents the subset of websites that had plaintext password leaks. That's already a pretty good sign it's a trash website, which implies most of the accounts are probably trash.
In an era of fake news, not giving any hint of your sources or methods makes your news post worthless.
Of course maybe it was in the video at the top I didn't watch. I doubt it, it looked like it was not more than 2 minutes long.
(Score: 3, Insightful) by Anonymous Coward on Friday December 14 2018, @04:06PM
It is amazing that people are told by the fake news that we are in a "new era" of fake news and they believe it. There is nothing new about it. You should have always demanded (non-anonymous) sources and methods.
(Score: 0) by Anonymous Coward on Friday December 14 2018, @04:31PM
They rank them by the number of times that each bad password was found in data breach dumps. So "123456" was found the most (excluding any good passwords that may have occurred more often).