SplashData lists top 25 dumbest passwords of 2015
SplashData lists top 25 dumbest passwords of 2015

SplashData has trawled through 2 million hacked passwords that were subsequently released publicly to find the top 25 bad passwords of 2015. There are no surprises in the list which really would be a news story so let’s take a quick cringe through the list.

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

Of this list, two would actually be acceptable to a number of enterprises, banks, airlines and online retailers as they are a mix of letters and numbers as well as being a minimum of eight characters in length. Of the remainder, SplashData makes the point that nine are new for 2015 and there has been a move towards longer passwords. That said more stupid is no improvement on stupid.

Where did the list come from

Beyond saying it was compiled from publically published lists of breach data, SplashData gives no more information and given the number of breached accounts in 2015, it could have come from anywhere. What is worrying is that while SplashData claimed to look at 2m passwords, with a little effort it is possible to buy user credential lists of 5 million, 10 million and even greater on the dark web. These lists even come with guarantees that they are from different types of sites and it would be interesting to see how often any of the twenty five paswords above feature in those lists.

Is the password situation as bad as this looks?

In reality there is a huge gap between what people use on their home devices and to connect to their work network. The problem for many businesses is that the growth of Bring Your Own Device (BYOD) means that they need to check what their users are using for security on their devices. Without that, they have no way of being certain that devices and thus corporate data are secure.

To counter this, user education is improving and people are more aware but there will always be groups for whom passwords are a problem. There is also the issue of computers in shared areas where passwords are often set to something simple and are often the default passwords for the hardware and/or software. At least four of the items on that list are passwords that, in the past, have come as defaults including one from an accounting package.

The rise of 2FA

Of course, over the last two years there has been a significant increase in the campaign to introduce the use of two-factor authentication (2FS) to improve security. This is working in some places. For example I am in Hannover writing this piece. When I logged into Hootsuite it detected I was at a different location and immediately required me to authenticate myself. To do this I received an email with a very long string to cut and paste into the authentication box.

As I was logging in from one of my devices I had access to the email so it would be possible to criticise these approach. However, at least Hootsuite did a challenge. Some other services have also challenged me but not the two credit cards and the one bank account I logged into. This is where we need to see a sea change in the way that organisations improve security.

Online retailers and others using poor password choices

As a journalist on the road regularly I use a lot of loyalty cards and online sites. Over 50% of those sites still have problems with passwords containing characters. Many of them would accept Passw0rd as a valid logon or even MyN3wPassw0rd. They would not accept something like MyN£wPa%%w0rd. This is because they use old and outdated methods for passing the password string into their authentication system.

What sort of online sites am I talking about? Two major airlines, a bank, two car hire companies, one hotel chain and a host of sites where I shop regularly. This is a problem that needs to be addressed across the entire online industry and it could be argued that using simplistic login credential systems is a governance issue that should be addressed.

Should we be forced to change passwords?

Unless there is a security breach I cannot recall the last time I was prompted by any site to change my password with the exception of my own network domain. Yes, this is about personal responsibility and I do make changes but few companies require it. There is a good business reason here, they are scared of chasing customers away by making access harder or forcing them to write things down.

This concern is well founded. Enterprises have long understood that the monthly password change with a history file containing the last 24 passwords is a problem. Users either resort to dumbing down passwords to barely meet the standard or they write them down. For vendors such as SplashData with their TeamsID solution and Dashlane with its password manager this is good news as they look to sell password vault systems to enterprises and individuals.

This is where 2FA comes back into play. Change my Dropbox password and it sends a code to my phone. Make a payment through one of my online banking or credit card companies and it regularly sends me an SMS to my phone to approve the payment. That doesn’t make them ultra secure as has been shown with call centres being persuaded to change SIM card numbers. However, it is a start and is something that needs to be improved on urgently.


Does this latest list really matter? Not really. It might be a pub quiz question in the future such: “as which idiot password was the number one for three years in a row?” For most of us we look at this and shake our heads at the poor choices people make. Sadly, for security teams, they know only too well that this is a risk inside their organisation that they still struggle to deal with.


Please enter your comment!
Please enter your name here