Security Policies

Top 10 Worst Passwords over the past 5 years

Over the past seventeen years users have continued to use almost the same worst passwords to access secure systems.

Top 10 worst passwords - Passwords are the first line of defense in securing systems, yet users continue to circumvent that basic security by using the same easily hacked passwords.

Read on Order Security Manual Template Download sample

Until passwords are no longer required as bio-metrics like a fingerprint, facial scans, and retina readers are implemented there is no choice but to utilize them. The question is as passwords become more complex, how long will it take before users rebel and use the same password on multiple sites, have lists of them in unencrypted files on their computers.

Passwords should be at least eight characters in length using number, lower case letters and uppercase letters. Below is a list of the historic top 10 worst passwords that Janco has found users continue to use. As can see the same ones appear year after year.

2017

2015

2010

2005

2000

#1

123456

123456

123456

password

password

#2

password

password

password

123456

123456

#3

12345678

12345

12345678

12345678

12345678

#4

qwerty

12345678

qwerty

abc123

qwerty

#5

12345

qwerty

abc123

qwerty

abc123

#6

123456789

1234567890

123456789

monkey

monkey

#7

football

1234

111111

letmein

1234567

#8

1234

baseball

1234567

dragon

letmein

#9

1234567

dragon

iloveyou

111111

trustno1

#10

baseball

football

adobe123

baseball

dragon

In order to counter this here are 5 easy rules that can be implemented in your password routines. This will minimize the risk that your users will use these easily hacked weak passwords.

  1. Include in the list of unacceptable passwords the ones list above.
  2. Move towards biometric passwords or dual step authorization for access to systems.
  3. Do not allow users to use a previous password when a password reset is done.
  4. Do not allow the same password to be used by multiple users in the organization.
  5. Once an employee leaves see that his/her password is eliminated and see that all of the passwords in that "area" are changed in a timely manner.

Protecting and Securing Data Assets

If your company's security processes are disclosed, the company's systems are is vulnerable and sensitive data is at risk. Expanding on the list above, generic standards and procedures to protect the company's electronic assets include encryption keys, user id's, and passwords:

  1. Restrict access to the fewest number of individuals as possible.
  2. Store electronic versions only on servers that can be assessed by individuals with the highest degree of administrative security.
  3. Fully implement and document all management process and procedures
  4. Generate strong keys, user ids, and passwords,
  5. In the case of lost electronic keys use a process that requires 2 or 3 people, each knowing only their part of the key to reconstruct the whole key,
  6. Secure storage and distribution,
  7. Periodically change keys and passwords (at least once every quarter and when there is a seminal change caused by key employee turnover or other such events),
  8. Dispose of unused ones (e.g. when an employee is terminated all of the keys, user ids, and passwords should be made inactive immediately - not the next day),
  9. Eliminate the ability of one individual using the key or user id of another, and
  10. Replace any key that is suspected of being compromised and immediately void the potentially compromised key.

Read on Order Security Manual Template Download sample