New Surveys Reveal 2017’s Worst Passwords

A just-released pair of new surveys confirm that people still love their weak passwords. SplashData reveals the worst passwords of 2017, while EPC Group shares interesting password trends by gender, location, and other factors.

The Worst Passwords of 2017

SplashData’s new survey on password strength and reuse shows that not much changed for 2017. People worldwide still tend to use weak passwords for multiple locations online. SplashData also notes that people also reuse these weak passwords on multiple websites. Estimates show that one in ten Internet users have used one of the 25 weakest passwords; 3% have used the #1 choice, “123456”. We’ve listed the top ten most common passwords below.

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. letmein
8. 1234567
9. football
10. iloveyou

Gender and Location Differences in Passwords

EPC Group also released a report sharing trends in passwords along gender, location, and age lines. We’d recommend you read the entire report, but we’ve summarized the relevant data points below.

Password Creation

• Men love to use the word “password” in their passwords (2.8x more likely than women)
• Women reference their significant other’s name more frequently (1.3x more likely than men)
• Women also tend to use 4 or more words in their passwords (1.5x more likely than men)
• 12% of passwords used in the western US reference sports teams (2.2x as likely as the lowest region)

Password Security

• Many people tend to physically write down their passwords on paper (43% of users)
• Millennials prefer to store their passwords on their phone (1.5x as likely than baby boomers)
• 61% of Americans use personal info in their current passwords
• 37.5% of users only change their password when forced to; 11% never change it
• People in the South are 5 times more likely to forget their passwords than the least-forgetful region

What This Means For You

When designing a password policy for your organization, you should verify that many of the weaknesses and issues known above don’t affect you. Here’s some tips:

• Always require passwords of a minimum length and complexity. Require the use of at least one capital letter, one lowercase letter, one number, and one special character. Encourage if not require the use of more.
• Consider comparing the hash of a user’s password with the hash of known or breached plaintext passwords. If they match, do not allow it. Do this at password creation and intermittently thereafter, as laws and regulations allow.
• Discourage the use of identifying information in a password. Due to the nature of password hashes, this can be difficult to enforce programmatically. So reference this point in your security awareness training.
• Conduct security awareness training regularly.
• Require your users to change their passwords every 90 days, maximum.
• Provide easy-to-use password managers so users don’t need to write down their passwords on paper.

Secure Compliance Solutions LLC (SCS) provides a wide range of cybersecurity consulting and managed security services to small and medium sized businesses (SMB) and government agencies, fortifying their Information Security and Data Privacy programs. SCS works with its clients to tailor and implement industry-proven frameworks and standards to meet compliance goals and drive consistent security operations. We raise awareness of current security trends and risks to prepare personnel to recognize and defend against potential security issues. We implement technical solutions and controls to minimize data risks and liabilities. Our Managed Security Service provides “constant watch” against both internal and external cyber threats and attacks. At SCS, we promote a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities to keep your business up and running.