With weak passwords continuing, blame turns to security pros

With 'Jesus' and '123456' topping SplashData's annual list of worst passwords, onus on IT to require stonger passwords, says expert

"Jesus" was among the new entries in SplashData's annual list of worst passwords used on the Internet, as people apparently looked toward a higher authority to protect them against hackers.

Other equally unsafe passwords that made their debut Wednesday on the top 25 list of 2012 were ninja, mustang, and password1. Unchanged from last year in the top three slots were password, 123456, and 12345678, respectively. Rounding out the top 10 passwords were abc123, qwerty, monkey, letmein, dragon, 111111 and baseball.

SplashData, which makes password management applications, bases its list on millions of stolen passwords posted online by hackers. There have been several password hacks this year of high-profile sites, including Yahoo, LinkedIn, eHarmony and Last.fm.

[See also: The 15 worst data security breaches of the 21st Century]

While hacking tools get more sophisticated each year, many cybercriminals still prefer the low-hanging fruit when it comes to passwords. "Just a little bit more effort in choosing better passwords will go a long way toward making you safer online," SplashData Chief Executive Morgan Slain said in a statement.

People's use of guessable passwords has been a continuous threat for years. Many companies today have policies requiring stronger passwords, which often have to be changed every few months.

A 2006 study by the Software Usability Research Laboratory at Wichita State University found the majority of people use many unsafe password practices. They included never changing passwords, using the same one on multiple sites and never changing its complexity, even on an online banking account. More than half used personally meaningful words, such as names of children, pets or street names.

Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, said people's use of weak passwords was not surprising. But rather than blame it on the user, he pointed the finger at information security professionals. "Information security have to take personal responsibility for telling people to do exactly the wrong thing," he said. "We're telling people to make up passwords that are hard for them to remember, but easy for machines to guess."

Rather than have people use random letters, numbers and symbols, Grossman recommends using long phrases that are memorable, such as a favorite line from a movie. "Easy to remember. Much, much harder to crack," he said.

When using words, SplashData recommends separating them with spaces or other characters, such as "eat cake at 8!" or "car_park_city?"

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)