A recent Virginia Tech study of commonly used passwords by Dashlane/Virginia Tech has unveiled what some of the worst passwords of 2018 were.

For the study,  researchers supplied Dashlane with an anonymized copy of 61.5 million passwords. The password list was established using 107 individual lists of passwords available on forums and in data archives, many of which have come from previous data breaches.

The analysis of the list showed many common themes. These include the names of local sports teams: In the UK, common password choices witnessed were liverpool, chelsea and arsenal – the leading soccer teams in the Premier League.

Commercial brand names were also selected, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those websites.

Music and film references were often used, with Spiderman, superman, starwars, and pokemon all typical choices as were expressions of frustration – a**hole, bull****, and f***you were repeatedly chosen.

The Dashlane report indicates that despite warnings about the risk of using easy-to-remember passwords, end users are still opting for weak passwords. One very worrying trend is the use of seemingly safe passwords, which are anything but secure.

1q2w3e4r5t6y and 1qaz2wsx3edc may seem to be relatively secure passwords; however, how they are set up makes them easy to guess. They are certainly stronger than “password” or letmein” but not by much.

The passwords are formulated by a process that Dashlane calls password walking – the use of letters, numbers, and symbols beside each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same method is used with the incorporation of capital letters and symbols.

The study reveals that even though many firms require end users to set strong passwords, employees ignore password guidance or opt for passwords that pass security checks but are really not that secure.

What Makes a Strong Password?

A strong password will not be in the dictionary, will not implement sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be at least 8 characters and should be unique – never used previously by the user, and never reused on a different platform.

Passwords should have at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 different letters. Include capitals and the possible options double to 52. There are 10 digits, growing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to decipher. However, randomly generated passwords are also very difficult to remember.

Recently, that issue has been recognized by the National Institute of Standards and Technology (NIST), which has refreshed its guidance on passwords (See special publication 800-63B).

While the implementation of random strings of characters and symbols makes passwords very difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have difficulty remembering their passwords and that leads to particularly dangerous behaviors such as writing the password down or keeping it in a browser.

NIST now advises the use of longer passphrases instead of passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for instance. Passphrases are more user-friendly and easier to remember, but are still safe – provided a adequate number of characters are used. If passphrases are encouraged instead of difficult to remember passwords, end users will be less inclined to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.

The shortest number of characters can be set by each group, but rather than restricting the characters at 16, companies should consider growing this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.

Since some end users will try to put in place weak passwords, it is vital to incorporate controls that prevent commonly used passwords from being used. Each password choice should be reviewed against a blacklist before it can be implemented.