SplashData published their annual list of the 25 Worst Passwords on the Internet. Here is the list that all IT directors should block as acceptable logon password to websites, networks, computers, etc.
Not taking precautions could result in another sort of list such as the 1.3 million fraud or identity theft complaints that the FTC received in 2010.
1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
There are may other security steps required to protect networks that utilize password-based authentication (See my recent post, “Just How Long Should a Password Be?” for more info).
Switching over to PKI may work for some companies but it work for many others. Or, it may even be a combination of both PKI and Passwords using a single credential like what Access Smart has done with the government’s PIV credential.
The take away is to ask why people use these weak passwords. The answer is that they need a better way to manage their passwords that is both convenient and secure.