Security Policies

Top 10 Worst Passwords over the past 5 years

Over the past five years users have continued to use almost the same worst passwords to access secure systems.

Top 10 worst passwords - Passwords are the first line of defense in securing systems, yet users continue to circumvent that basic security by using the same easily hacked passwords.  

Read on SecurityOrder Security ManualDownload Selected Security Manual  Pages

Passwords should be at least eight characters in length using number, lower case letters and uppercase letters. Below is a list of the historic top 10 worst passwords that Janco has found users continue to use.   As can see the same ones appear year after year.

 

2016

2015

2014

2013

2012

#1

123456

123456

123456

password

password

#2

password

password

password

123456

123456

#3

12345678

12345

12345678

12345678

12345678

#4

qwerty

12345678

qwerty

abc123

qwerty

#5

12345

qwerty

abc123

qwerty

abc123

#6

123456789

1234567890

123456789

monkey

monkey

#7

football

1234

111111

letmein

1234567

#8

1234

baseball

1234567

dragon

letmein

#9

1234567

dragon

iloveyou

111111

trustno1

#10

baseball

football

adobe123

baseball

dragon

In order to counter this here are 5 easy rules that can be implemented in your password routines.   This will minimize the risk that your users will use these easily hacked weak passwords.

  1. Include in the list of unacceptable passwords the ones list above.
  2. Move towards biometric passwords or dual step authorization for access to systems.
  3. Do not allow users to use a previous password when a password reset is done.
  4. Do not allow the same password to be used by multiple users in the organization.
  5. Once an employee leaves see that his/her password is eliminated and see that all of the passwords in that "area" are changed in a timely manner.

Protecting and Securing Data Assets

If your company's security processes are disclosed, the company's systems are is vulnerable and sensitive data is at risk.  Expanding on the list above, generic standards and procedures to protect the company's electronic assets include encryption keys, user id's, and passwords:

  1. Restrict access to the fewest number of individuals as possible.
  2. Store electronic versions only on servers that can be assessed by individuals with the highest degree of administrative security.
  3. Fully implement and document all management process and procedures
  4. Generate strong keys, user ids, and passwords,
  5. In the case of lost electronic keys use a process that requires 2 or 3 people, each knowing only their part of the key to reconstruct the whole key,
  6. Secure storage and distribution,
  7. Periodically change keys and passwords (at least once every quarter and when there is a seminal change caused by key employee turnover or other such events),
  8. Dispose of unused ones (e.g. when an employee is terminated all of the keys, user ids, and passwords should be made inactive immediately - not the next day),
  9. Eliminate the ability of one individual using the key or user id of another, and
  10. Replace any key that is suspected of being compromised and immediately void the potentially compromised key.

Read on SecurityOrder Security ManualDownload Selected Security Manual  Pages