You’ve heard it a million times, don’t use an easily guessed password. But despite warnings by security experts and repeated breaches, it appears that some internet users have not updated their passwords to a more secure one. Multiple security companies have been studying more than 5 million leaked passwords from recent breaches and found that many of the commonly used passwords on the list are commonly used bad passwords from previous years, like “123456,” “password,” “admin,” and “abc123.”
Making it into the top 25 for bad passwords this year are “donald,” “princess,” and “sunshine.” If you’re guilty of using one of the offending passwords on SplashData’s 100 top worst passwords list of 2018, it’s time to get more creative.
Using simple, easy to guess, or a commonly used bad password make your account more susceptible to hacking, which can lead to financial fraud or having your personal information exposed or leaked. Here are the top 10 bad passwords for the year, but you can see the complete list of 100 bad passwords for 2018 from SplashData:
For starters, users can use a password manager to collect their passwords securely in one place. Some popular ones include SplashData’s SplashID, LastPass, and 1Password. In addition to securely storing your passwords, many password managers can also dynamically generate unique, strong passwords when you need to create a new site login or update an existing credential. With a unique password, if one site gets breached, your other credentials wouldn’t be affected.
For banking, social media profiles, and other important websites, you can also add multi-factor or two-factor authentication. In addition to requiring a username and password, an additional authentication factor, like a six- or eight-digit pass-code, must be used to log in. These codes are either sent to you via text message or can be obtained through an authentication app.
Another way to make your password strong is to use an inexpensive hardware-based security key. Prior to releasing its own Titan USB key, Google claimed that when it started internal testing by requiring its employees to use a hardware key in 2017, it saw zero incidents of phishing attacks. With multi-factor authentication, even if an attacker has your login credentials, they wouldn’t be able to access your account without having a hardware key, a pass-code sent to your phone, or a unique code that’s generated with an authentication app. Once linked to your account, the hardware keys will work with Windows, Macs, and smartphone devices over USB, USB-C, Bluetooth, or NFC connections, depending on the variant of the key.