Despite all the warnings, shockingly high numbers of people are still using easily guessable passwords such as swear words, celebrity names, cities, animals, or keyboard sequences, with half of those observed consisting of just one word.
Users don’t seem convinced that a good password is the one you can’t remember – “123456” has long been the most popular, and 2022 is not an exception.
After examining 56 million breached and leaked passwords in 2023, the Cybernews research team discovered the password “123456” was used in 111,417 cases.
Worryingly, default passwords used by workers with system access privileges still remain all too easy for a threat actor to guess. Cybernews found 16,981 occurrences of the password “admin,” with “root” and “guest” coming in second and third for the top 20 generic passwords.
The team used various wordlists to extract the data – without identifying the persons to whom it belonged – and grouped it according to the following categories: top passwords overall, names of famous people, swear or curse words, animals, cities, countries and continents, sports teams, food items, and season, month and day names.
The team scrutinized databases found on darknet and clearnet hacker forums and other sources that had been breached and leaked this year – meaning the findings are, unlike other password research ‘contaminated’ by older data, relatively up to date.
Why does this matter?
Most passwords are hashed, or in layman’s terms, scrambled so that they cannot be de-hashed or reversed back. The problem arises because, unlike encryption, hashing obtains the same result for the same word (string) – so, for instance, “ant,” another popular password highlighted by the Cybernews team, will almost always be hashed into the same output by the same algorithm.
This weakness allows cybercriminals to familiarize themselves with the hashed versions of commonly used passwords, enabling them to conduct brute-force attacks whereby they effectively use educated guesswork to unlock inadequately protected systems.
In the case of the default passwords uncovered by the research team, a crook with a modicum of cunning wouldn’t even need to employ brute-force techniques – admin being a fairly obvious first guess for figuring out a system administrator’s password.
The fact that business and personal computer users are still opting for such simplistic combinations means that myriad weak-password warnings from the cybersecurity profession are still going unheeded by many. But to understand the depth of the problem, one must examine the common errors being made by users in more detail.
Password reuse still a big issue in 2023
Password users also continue to be fond of curse words and the names of famous personas – at 292,869 cases, the word “ass” made the top spot for profanity, while the rather more genteel “king” (70,666 cases) topped the list for well-known figures, in an apparent reference to the recent coronation of King Charles III of Great Britain and Northern Ireland.
Other popular swear passwords were “fuck” (79,564) and “shit” (36,388), although those with sensitive ears and eyes will be relieved to learn that the dreaded “C-word” was absent from the top-20 list tabled by Cybernews.
Famous soccer players featured on the top-50 list of celebrity-related passwords, with “messi” (4,137) and “ronaldo” (4,749) enjoying strong outings, while showbiz figures also proved popular – “gaga” occurred 5,842 times and “eminem” racked up 3,948 instances.
Controversial former US president Donald Trump’s surname came in last on the list (in fiftieth place, with 2,159 occurrences), which will bruise the politician’s ego all the more given that he came in second to “kennedy” (2,240), his predecessor who was shot dead in 1963.
It’s not just in a name
The Cybernews team highlights that a strong password must not only contain an uncommon name or word but a variety of characters and cases that increase its entropy, or difficulty to hack.
“Complexity equals entropy, or how much information is stored in a given password,” said Cybernews research team leader Mantas Sasnauskas. “More entropy means the data is more chaotic, and chaos is good – that’s why it’s important to have randomly generated passwords, because they contain a lot of entropy and are more resistant to brute-force attacks.”
He added: “With most leaks that happen, there is almost always a hashed password involved – it’s less likely that bad actors will be able to dehash a complex password, that is to say, one with lots of entropy, and then use it to compromise other accounts.”
As such, the research team’s findings that just 1% of observed passwords fit all the recommended criteria – both upper- and lower-case characters, numbers, and special symbols like the $ sign – are yet more grim news for cyber-stressed infosecurity professionals.
Likewise, only 4% of passwords observed by Cybernews used at least 12 characters, numbers, and symbols, as recommended by the industry. Shockingly, 15% used just four, although just under half (48%) managed to be between eight and 11 long.
But any kind of password length will avail users little in terms of cybersecurity if they are using only lowercase characters or letters – which was observed in 22% of cases. The most common combination was a mashup of lower-case letters and numbers, known as the alpha-numeric combo (38%) – again, not nearly close enough to the state of complexity advocated by Sasnauskas to be deemed safe from brute-force and other password attacks.
It gets worse…
Of the passwords scrutinized by the Cybernews team, around half (28 million) were unique – in this case, consisting of a single simple name or word such as “dell”.
Worse still, 5.5 million of these unique or specific passwords occurred multiple times – suggesting that there is still a legion of ‘culprits’ out there that all-too-readily suggest themselves to computer users who can’t be bothered to use password-managing apps or spend more time and effort creating complex combinations.
Other such popular passwords included the names of capital cities like “lima” (17,466) and “rome” (17,407), and animal species such as “cat” (122,392) and “rat” (103,284). It is not clear if these were chosen because of any personal significance to users or, once again, merely selected for their simplicity. Either way, they spell bad news for computer users.
Finally, Big Tech featured strongly too – albeit probably not in a way it would like to – with major corporations such as Apple, Google, and Yahoo being used as easily guessable passwords in thousands of instances observed by Cybernews.
Other top picks identified and categorized by the research team included days of the week, sports teams, professions, and food and drink items.
Cybernews security researcher Martynas Vareikis said that the research also indicated that hashing algorithms long called out as unfit for purpose were still being used today, another cause for concern.
"Even though weak hashing algorithms, like the infamous MD5, were officially claimed as 'unsuitable for further use' in 2008, they are still being found in the leaks today,” he said. “With exponentially more consumer-targeted computing power available every year, the difficulty of password cracking drops too.”
Vareikis urged computer users to take cybersecurity into their own hands, and not depend exclusively on developers to watch their backs.
“It is important for customers not to rely solely on developers to protect their credentials and personal data by adopting new internet safety habits, starting with strong password generation and cybersecurity awareness,” he said. “Due to many services being interconnected, even one leaked password could lead to many accesses, potential damages, and time-consuming recoveries."
Conclusion: how do I make my passwords safe?
As we’ve been saying for some time now, to keep your passwords secure, they all have to be unique in a way that makes them difficult to crack. This is why we strongly urge users to adopt a password manager – these allow you to generate highly complex or entropic combinations that you don’t need to memorize. See how that works?
Such tools are easy to use and mostly tend to come as browser extensions that will create or fill in your username and password automatically while keeping that data secure from prying eyes. All you need to do is commit one master password to memory so you can use it to access the manager app – come on, people, you can do this!
If you’ve been reading this article and rubbing your chin because your old passwords have similar ‘come-and-crack-me’ patterns to the ones we’ve analyzed, don’t despair – our Data Leak Checker will enable you to see at a glance if your email address and other sensitive data have been exposed in a breach. Try not to panic if they have, at least now you know how to create new and strong cybercrime-resistant passwords!
The Cybernews Data Leak Checker currently has the largest database of known breached accounts, with more than 15 billion listed. So, chances are, if your account has been leaked, we’ll probably have a record of it.
You can thank us later – after you’ve updated your passwords.
More from Cybernews:
Subscribe to our newsletter