Tip: How to stop relying on only passwords

SplashData released its list of the most popular (and therefore worst) passwords. Fear not – two-factor authentication can help.

File - Illustration picture of computer keyboard with letters stacked forming the word 'password' taken in Warsaw

Kacper Pempel

January 21, 2015

SplashData released its fourth annual list of the most common Internet passwords, or, as it has been come to be known: “The Worst Password List."

The 2014 list of worst passwords revealed itself to be mostly unchanged since last year. The No. 1 spot still belongs to “123456." The classic password “password” held strong at No. 2. And “12345” rose from seventh place to third. (Getting clever guys!)

Some of the new favorites included “baseball,” “access,” “mustang,” and, for some reason, “michael.”

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

With the release of this year's list, there has been a collective, frustrated sigh from the media. The responses have varied from labeling it “embarrassing,” “awful,” and “horrible” to flat out begging the Internet to stop using these passwords.

But there is light. As the report goes on to say, the passwords on the top 25 list only accounted for 2.2 percent of all Internet passwords that SplashData researched. The list, which collects most of its data from North America and Europe, shows a trend of people moving away from these basic, overused passwords, says Mark Burnett, online security expert and author of “Perfect Passwords.”

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years,” says Mr. Burnett in a statement. “While [2.2 percent of Internet users is] still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

While some people may never understand the importance of choosing a strong password, SplashData complied a list of ways to pick a solid password.

The site recommended you avoid using baby-name books, sports and sports teams, and birthday years (1989 through 1992 all made it in the top 100).

Its top recommendations included avoiding sequences like “ 'qwertyuiop,’ which is the top row of letters on a standard keyboard, or ‘1qaz2wsx’ which comprises the first two ‘columns’ of numbers and letters on a keyboard.”

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are,” says Morgan Slain, chief executive officer of SplashData, in a statement. “As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure.”

While many were left banging their heads against a wall, in the current state of online privacy, some have criticized the use of passwords altogether.

In a 2012 Wired article, Mat Honan wrote about how hackers targeted and cracked his password-protected accounts by finding ways to circumvent those passwords. His article highlights some of the biggest issues with passwords.

"Those security lapses are my fault, and I deeply, deeply regret them," Mr. Honan wrote. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's."

Apple and Amazon quickly stepped up their security after the release of the article.

Honan's tale is a chilling reminder of how our connected devices can easily be breached, but there are steps you can take to protect important accounts.

The first and most obvious step is to have a complicated password that cannot be linked to your online history. It is also important to use different passwords for each account, which can be a pain, but is crucial.

Another step is using companies that require two-factor authentication (2FA), which means adding an extra (but simple) step to your login process. Entering a username and password would be considered single authorization. But many services, such as Twitter and Google, now offer ways to provide a second form of authorization – one that's not based on a password. For example, before you log into Gmail on a new PC, Google can text-message a code to your phone, that you can then type into the computer to gain access to your inbox. This way, opening your accounts requires both something you know (the password) and something that you have (the mobile phone). Thieves might crack through one barrier of defense, but it's much more difficult for them to tackle both without you realizing.

[Editor's note: This article has been changed to correct a typo. Despite what the piece originally said, it is important to use different passwords for each of you online account.]