Skip to main content

The Globe and Mail

Twenty-five terrible passwords to stop using now

An executive that uses an awful password on a social platform such as LinkedIn could give even an amateur hacker the keys to his company’s network.


Humans are terrible at passwords.

Software company Splashdata (which makes a password-manager tool) has been compiling a list of the worst passwords since 2011, and the two most frequent crypts are still "123456" and "password."

The problem is, users with dead-simple passwords on Facebook are likely to do the same thing at work. Security-software developer Ping released a survey in 2015 that found half of workers reuse the same passwords across multiple enterprise tools, and two-thirds use those same passwords on personal services, such as social networks. An executive that uses an awful password on a platform such as LinkedIn could give even an amateur hacker the keys to his company's network. And the wealth of personal data we post online also makes it easier to use social engineering techniques to bypass password-reset security questions.

Story continues below advertisement

One reason why we are so bad at cryptography may be security fatigue. Researchers at Trend Micro have said that data get stolen every three seconds, and Splashdata compiles its database from the leaked credentials that appear online after some of the truly epic hacks that seem happen on a monthly basis. This year's list was culled from two million leaked records, and the irony is that hackers don't need these weak passwords to get those records: Software itself is often leaky enough to break open and steal data.

All of which is why there is a growing movement to get rid of the things altogether. A survey of 308 digital-security experts, conducted by Wakefield Research late last year for SecureAuth (makers of two-factor authentication software), found 91 per cent of the respondents were sure the text password would be dead in 10 years.

"There's a lot of work being done to integrate biometric, but they are still a ways away from mainstream adoption," warns Mark Nunnikhoven, a vice-president at Trend Micro. Canada's Nymi has been flogging its heartbeat-reading biometric, while an increasing number of smartphones offer fingerprint access. "Companies should look to adopt multifactor authentication in the short term. It will help compensate for human nature when it comes to password hygiene." MFA or two-factor authentication is where a text or other message is sent to a secondary device in order to confirm an attempt to login.

In the meantime, please remember that "1qaz2wsx" may be a nonsense word, but anything that's a simple pattern (such as the first two rows of a keyboard) is not a good password.

Splashdata's 'Worst passwords of 2015'

RankPasswordChange from 2014
312345678Up 1
4qwertyUp 1
512345Down 2
7footballUp 3
81234Down 1
91234567Up 2
10baseballDown 2
13abc123Up 1
14111111Up 1
16dragonDown 7
17masterUp 2
18monkeyDown 6
19letmeinDown 6

Report an error Licensing Options
About the Author
Technology reporter

Shane Dingman is The Globe and Mail's technology reporter. He covers BlackBerry, Shopify and rising Canadian tech companies in Waterloo, Ont., Toronto and beyond. More


The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨