When it comes to cybersecurity, many people are still ignoring the factor that’s most within their control: their passwords.

SplashData has released its latest Worst Passwords of the Year list, revealing 2019’s most commonly-used bad passwords. The list is based on an evaluation of more than 5 million cracked passwords that have been leaked throughout the web by hackers.

SplashData estimates that 10 percent of internet users are still using at least one of the top 25 passwords on this list. Are you among them?

The Top 25 Bad Passwords

1.     123456
2.     password
3.     123456789
4.     12345678
5.     12345
6.     111111
7.     1234567
8.     sunshine
9.     qwerty
10.   iloveyou
11.   princess
12.   admin
13.   welcome

14.   666666
15.   abc123
16.   football
17.   123123
18.   monkey
19.   654321
20.   !@#$%^&*
21.   charlie
22.   aa123456
23.   donald
24.   password1
25.   qwert123

Passwords and Brute Force Hacking

When someone tries to bypass your password, they’re probably not trying out different password combinations in hopes of getting one right. Chances are, they’re using software to execute a brute force hacking attempt. This type of attack uses a cracking tool to work through various combinations of usernames and passwords until the right one is found.

There are a few common types of brute force attack,  and all of them become more effective when poor passwords are used:

  • Credential recycling: When a hacker gets a hold of one password, they will often use it to access multiple accounts owned by that user. This is why using the same password across platforms is a bad idea!
  • Dictionary attack. The brute force application works through a long list of possible passwords. These lists are often created by analyzing a user’s social profiles, focusing on words that may have meaning to them.
  • Reverse brute force attack. When attempting to breach a large company, hackers will determine possible usernames from public company data or social media (LinkedIn makes it fairly easy). They then run this list against the most common ‘bad passwords’. Chances are, someone within a large organization was lazy and used “12345” or “password1” as their password. This is all it takes to infiltrate a network.

Protecting Your Business from Brute Force Attacks

The first step to minimizing this risk is to have a firm password policy in place. Set the following standards for optimal protection:

Length and characters: ​Passwords should have 8-12 characters minimum and should include a mix of numbers, letters, and special characters. Even with brute force cracking tools, a password containing twelve mixed characters should take years to crack.

Unique passwords: Discourage the use of the same password across multiple accounts.

Use a password management tool:  With a password manager tool (such as LastPass) you can generate secure random passphrases, and organize & store them securely at admin level. This eliminates the chance that one employee may get lazy with their password creation and leave your entire business exposed.