25 most common passwords in 2016 and how quickly they can be cracked

It’s nearly that time again when SplashData will release its annual list of worst passwords, but this list of passwords comes from Keeper Security. The company analyzed over 10 million passwords available on the public web before publishing a list of 25 most common passwords of 2016.

Keeper pointed a finger of blame at websites for not enforcing password best practices. Even if a site won’t help you determine if a password is decent, then people could use common sense. It’s disheartening to know that 17 percent of people still try to safeguard their accounts with “123456.” And “password” is, of course, still on the list, as well as keyboard patterns such as “qwerty” and “123456789”.

I thought it might be interesting to list not only the passwords, but also how quickly they could be cracked; that changes all the time if you think about it, being that when a site is hacked then those dumped passwords get added to cracking lists and can be cracked even quicker. Nevertheless, each password on Keeper’s list is additionally broken down into estimated times to crack the password; one estimate is from Random ize and the other is from BetterBuys.

As for some of the more peculiar random passwords appearing on the list, those particular oddballs showed up on LeakedSource in June 2016 after media company VerticalScope was hacked. The database contained “nearly 45 million records from over 1,100 websites and communities.” Graham Cluley said he suspected that some of the passwords in that leak, such as “18atcskd2w”, “3rjs1la7qe,” and “q0tsrbv488”, were “created by bots, perhaps with the intention of posting spam onto the forums.”

It’s worth noting that BetterBuys’ cracking uses a i5-6600K core processor, Intel data benchmarks and the cracking tool John the Ripper. It currently tests how quickly a password could be cracked in 2016, but each year as tech evolves and hackers become more proficient, passwords get weaker. Passwords that took a mere .29 milliseconds in 2015 could be cracked in .25 milliseconds in 2016.

“For example,” BetterBuys wrote, “a password that would take over three years to crack in 2000 takes just over a year to crack by 2004. Five years later, in 2009, the cracking time drops to four months. By 2016, the same password could be decoded in just over two months. This demonstrates the importance of changing passwords frequently.”

+ What do you think? Post your comments on our Facebook page +

Another example using a password on this list: In 2015, BetterBuys estimated that “qwertyuiop” could be cracked in 4 months, 3 weeks, 3 days, 32 minutes, 10 seconds; in 2016, the time shortened to 4 months, 4 days, 7 hours, 11 minutes, 46 seconds.

Since “18atcskd2w” showed up on the list, it probably was added right away and now takes even less time to crack. But to show how the strength of passwords is weakened each year, BetterBuys estimated that in 2015 it would take 1 decade, 2 months, 2 weeks, 3 days, 16 hours, 30 minutes and 24 seconds to crack “18atcskd2w”. In 2016, it would take 8 years, 9 months, 3 weeks, 6 days, 8 hours, 50 minutes, 57 seconds.

If you think your 12-character password is secure, then you might want to check out a recent article by Netmux, a cybersecurity firm made up of former veterans, as it goes into details about how to crack 12-character passwords.

If you aren’t using a password manager yet, then you should make that one of your 2017 resolutions.