What Can We Learn From Bad Passwords?

By Daniel J. Solove

Posted on January 28, 2016


Share

The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015. The list is compiled annually by examining passwords leaked during a particular year. Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.

 
Image: Solove_PasswordList.jpg
 

So what can we learn from all this?

 

1. Some people really lack much imagination. For passwords, people often draw from life experiences, loved ones, and hobbies and interests. If the only thing some people can think of for their password is "password," then they not only need to get some better security wisdom, but they also need to get a better life!

 

2. Some people have at least learned the lesson that a longer password is better. So the most-widely used password was 123456. It could have been worse. Password #5 is 12345. To the folks who used 1234 (Password #8), shame on you! Some folks can count higher. Password #9 goes to 7 digits: 1234567. Password #12 has 10 digits: 1234567890 -- seems like some people at least were listening to the advice that passwords should be long. But where are the people with 11-digit passwords? Aren't there people out there who think that the best password goes to 11?

 

3. There are definitely some sports fans here as well as some folks into fantasy. Maybe I'm stereotyping, but this list seems to skew male.

 

4. With the new Star Wars movie, a new entry to the list was starwars. Sadly, the Force wasn't with these people, and the use of this password correlates quite well to susceptibility to the Jedi mind trick.

 

5. Several passwords involved login/access words -- login, password, passw0rd, welcome, letmein. Sadly, the password notbythehaironmychinnychinchin didn't make the list.

 
Image: Solove_Login-(2).jpg
 

6. Other passwords show keyboard proximity -- querty, quertyuiop, and all the numeric passwords. 1qaz2wsx seems like a clever password, but it's just the cluster of keys on the left side of the keyboard.

 
Image: Solove_Keyboard.png
 

7. It is easy to mock these passwords. But it is hard for people to remember many long and complex passwords, especially if people are forced to change their passwords routinely. People have too many online accounts these days to be able to remember all passwords. We demand the impossible of people with passwords, and then we blame them when they fail. Last year, I wrote about this problem in a blog post and at Wired.

 
Image: Solove_Brain.jpg
 

8. All of the password advice put together takes the impossible and multiplies it by the impossible. People are told to choose long and complex passwords, use special characters, include upper and lower case letters, and have numerals, as well as to use different passwords for each account, to not write them down, and to change them frequently. Can anyone possibly do this for hundreds of different accounts? It is doable for one account, such as one's work account, but not possible for all accounts.

 
Image: Solove_WeDemand.jpg
 

9. Probably everyone has a bad password or two. Or three. Even the experts! Not me, of course . . . Definitely not me . . .

 

10. Despite all the technology, much data security boils down to people. Force them to select good passwords, and people will write them on sticky notes on their desks. Or get people to do everything right, and then a phisher comes along and tricks them to give up their passwords. So much of data security is just getting people to behave. But we can and should make things easier by improving the authentication process and not demanding that people do the impossible.

 
Image: Solove_ComputerDude.jpg
 

I find at least some of the password advice to be counterproductive. People shouldn't be forced to constantly change their passwords; they should write them down -- just keep them in a secure place and not in their wallets or on their desks. And the advice about using a different password for each account is not feasible -- having hundreds of different passwords is impossible to remember. Passwords shouldn't be reused for work accounts and really important accounts, but not reusing a password for all accounts is impractical.

 

So what, exactly, can we learn from bad passwords? Bad passwords are a symptom of a much larger problem -- but at least a symptom that will give us a laugh.

 

* * *

 

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.
Twitter: @DanielSolove

 

Image Credits: Fotolia with Solove adaptation

 

 

The preceding is republished on TAP with permission by its author, Professor Daniel Solove. “What Can We Learn From Bad Passwords?” was originally published January 26, 2016 on Professor Solove’s LinkedIn Commentary page. Professor Solove is among LinkedIn’s 150 top influential thought leaders. In addition to his LinkedInBlog, Professor Solove blogs at Privacy+Security Blog.

 


Share