It doesn’t matter what the dumbest password is, we’re going to keep using it

I wanted to avoid this story, but I can’t. Passwords are still the core authentication method used in the home and office today, and while solutions exist to replace them, it’s not going to happen anytime soon.

SplashData, a company that makes its bones by developing password management applications, has created a new list of dumb passwords. Surprisingly, ‘password’ isn’t at the top of the list – ‘123456’ is.

This story got a lot of attention, but it doesn’t matter what the dumbest password is, because it’s still dumb, and people will keep using it. But for the sake of argument, and to add some context, here are the ten dumbest passwords as listed by SplashData:

• 123456
• password
• 12345678
• qwerty
• abc123
• 123456789
• 111111
• 1234567
• iloveyou
• adobe123

The company says they compiled this list by crunching the data from files “containing millions of stolen passwords” posted online over the last year. However, many of the items on it are the same ones from 2011 and 2012, when SplashData released a similar report.

From the looks of it, the passwords on the list come from the breaches at Adobe, RockYou.com, and Gawker. Minor password dumps in 2013 contained similar passwords, but aside from Adobe, the other password lists have been on the web for years.

So what do news items like SplashData’s tell us? As security professionals, they tell us nothing that we don’t already know. Lists like the one released by SplashData can only show that people continue to chose weak passwords.

The reason people pick these poorly developed passwords is that they’re easily remembered. Moreover, in most cases users pick weak passwords because the application or process they’re required to use them on has no personal value or meaning. Thus, the poorly crafted password is a throwaway.

A perfect example of this is ‘adobe1’ from the SplashData list. It was likely chosen because it is easy to remember and meets the password requirements dictated by policy, but an Adobe account isn’t all that valuable to most people, at least not when compared to a banking or social media account. The same can be said for all the passwords that had ‘Stratfor’ in them once the Stratfor password list was cracked a while back.

Traditionally, organizations deal with passwords on two fronts: policy and training. Policy enforces password lengths, variables, and expiration, while training is supposed to help users select strong passwords that are not easily cracked using the aforementioned lists. Yet, the problem is that people can’t remember overly complex passwords or phrases, and in the case of value, they’ll still select throwaway password for things deemed unimportant that will find their way onto a “worst of” list eventually.

This part of the post is where I’d try and offer solutions to problems associated with passwords. I can’t though, because passwords have been a problem for years and no single answer can fix it. There are options on the market to address these issues, but it’s often cheaper and easier to stick to what works and assume the risk.

SplashData, obviously, recommends that password managers are a perfect solution to this problem. That’s expected, given the nature of their business, but they’re not wrong either. The problem is most businesses cannot incorporate password managers for various reasons, mostly due to overhead and support. Yet, I’ve been in businesses where password managers are used with great success, so it can happen. It depends on the business itself really.

If you have a solution that works, some sort of training or software that you’re using in-house, I’d like to hear about it. Feel free to email me or leave a comment below.