Leaked 2014 passwords show that people are still careless online
What have the words password, baseball, dragon, football, monkey, mustang, access, shadow and master in common?
They all made the word passwords of 2014 list. The list, compiled by Splashdata, is based on 3.3 million passwords that leaked during 2014.
One could say that 3.3 million passwords are not really representative when it comes to online password use but since that is all the data that is available, it can be used to analyze trends.
And the main trend of 2014 seems to be that people are still as careless about online passwords as they were in previous years.
The passwords "123456" and "password" retained the top spot while other favorites such as "qwerty", "letmein" or "111111" are still in the top 25 list just like they were in previous years.
The big issue here is accounts can be easily attacked using brute force attacks that use dictionaries that contain the top 100, top 1000 or even top 10000 passwords and variations.
While password selection comes down to each individual user, it is not only the fault of the user that online security is in this predicament.
Online companies prefer to keep enforce basic password policies that are not too much of a nuisance to users. This in fact has not changed a lot since 10 or even 15 years ago where nearly the same rules were in effect.
Lets take a look at name and password guidelines of popular Internet companies
- Google requires a password of at least 8 characters. Passwords in addition to that cannot be reused, and easy to guess passwords such as "1234567" are not allowed.
- Microsoft requires that passwords contain at least 8 characters.
- Dropbox requires that passwords are 6 characters or more. Password strength is highlighted.
- Yahoo passwords must have a minimum size of 8 characters. In addition, they cannot be reused or be similar to previous passwords, cannot repeat single characters, cannot be "password" and cannot contain a user's first or last name, or Yahoo ID. Highlights password strength.
- Facebook passwords must have a minimum character count of 6. Highlights password strength.
- Twitter passwords must have a minimum character count of 6. The password strength is rated on input.
While most companies use low character limits for user account passwords, most suggest to users that they should use stronger passwords. Twitter for instance suggests to use a unique password that is at least 10 characters strong and uses a mix of uppercase, lowercase, numbers and symbols.
Why are not companies enforcing recommended password rules then? It is not clear why but an explanation that makes sense is that they fear that they would lose users over this who turn away in frustration when their passwords are not accepted during sign-up or password change.
Internet users who want to improve the strength of their passwords should consider using password managers like LastPass, KeePass or Dashlane as they will generate and store secure passwords for users.
Now You: What's your take on password use on today's Internet?Advertisement