World's worst passwords: 123456 reasons to change your code
An online password is shown in this stock photo. (Valerie Potapova/Shutterstock.com)
Published Tuesday, January 21, 2014 1:01PM EST
The only positive point to be drawn from 2013's list of the world's worst and easiest-to-hack passwords is that ‘password' is no longer in the number one spot.
But even that tiny glimmer of hope is extinguished immediately because ‘password' is still occupying the number two spot -- having been only overtaken over the course of the past 12 months by ‘123456.'
The list -- compiled by SplashData and drawn from passwords posted online following major web service hacks -- highlights the risks consumers are still taking by choosing easy-to-remember passwords, rather than secure one.
Consumers may well be suffering from password fatigue -- the inability to continue to create and remember more and more unique log-ins as the number of web services they use proliferate -- but that is still no excuse for using ‘qwerty' (No. 4) or ‘abc123' (No. 5) for protecting their personal digital information.
Still, web users are not entirely to blame. Despite the ever-growing sophistication of hackers, many companies are not doing enough to force their users into using stronger passwords that feature a mix of characters, numbers and symbols.
"Another interesting aspect of this year's list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies," said Morgan Slain, CEO of SplashData.
If sites were enforcing stricter password rules, then it wouldn't be possible to set guessable passwords like ‘1234' (No. 16), ‘12345' (No. 20) or ‘000000' (No. 25).
Every time a site is hacked and the passwords exposed, those log-ins are added to existing password-cracking tools to make hacking the next site even easier.
These tools search against lists of known log-ins and search for patterns that have already been discovered, such as choosing a dictionary word and substituting its vowels for numbers.
SplashData advises using passwords with eight or more characters that contain a mix of upper- and lowercase characters and numbers, as well as letters, and trying to make it as random or seemingly random as possible.
One way of achieving this is by using a ‘pass phrase,' which is a multi-word passcode that is longer and harder to crack, but still memorable to web users.
Other steps users can take include activating two-factor authentication if a site supports it and to ensure that if you must reuse a password never choose the one associated with your email account or online banking services.
Here is the full list of the 25 most common passwords for 2013: