A closer look at the current state of password security

Quick, think up a password. Got it? If you came up with something like Turnip123Fish# or L3t_My_P30p!3_go, congratulations. You've been paying attention to our advice about strong passwords. Now, do you actually use passwords like that? Gathered data suggests not – in this case, analysts at SplashData have waded through files containing millions of passwords stolen and posted online during 2013. All too many of them were ridiculously weak, vulnerable to even the lamest brute force attack.

Worst of the year

SplashData has been listing the 25 worst passwords for some years now, and "password" has always topped the list as the most common password. This year it was deposed by the long-time second worst password: "123456." No, really!

Simple-minded numeric passwords have always been popular. "More short numerical passwords showed up [this year] even though websites are starting to enforce stronger password policies," said Morgan Slain, CEO of SplashData. "New to this year's list are simple and easily guessable passwords like '1234' at #16, '12345' at #20, and '000000' at #25."

Other numeric newcomers to the list of the top 25 worst passwords are "123456789" and "1234567890." The password "12345678" remains in third place. This is also the first year for "azerty," "princess," "photoshop," and "adobe123." Those last two surely pertain to last year's huge adobe breach.

I've never understood why "monkey" is a much-used (and therefore bad) password. It seems to be on the way out, in any case. It still made the list, but dropped 11 places lower to #17. The Mulder-esque "trustno1" sank to #24, almost off the list entirely. Here's a link to the complete report.

You can do better

SplashData's report points out that dictionary attacks now include “leet-speak” substitutions like "dr4mat1c" for "dramatic," so that's no longer a route to strong passwords. Totally random passwords like T6#%8xWKs#Tf may be strong, but who can remember them? The report suggests combining several unrelated words with other characters between them. It also rails against reusing passwords.

Of course, the best way to make sure your passwords are all strong and all different is to use a password manager. A good one will not only capture and play back your passwords, it will also automatically generate strong passwords for you. The best ones, like LastPass and Dashlane, include a feature that finds your weakest passwords and walks you through fixing them.

So, what do you say? Are you ready to protect your own assets with better passwords in 2014? I would be utterly thrilled if next year's list included none of the same offenders from this year.