"123456" tops list of worst passwords again

People are still using "123456" in droves as their password for online accounts despite constant warnings about their vulnerability to hacking, fraud, and identity theft.

It marks the fourth year "123456" has sat at the top of the list of the 100 most insecure passwords, according to SplashData [pdf].

The numerical phrase took over "password" as the world's most commonly used online password in 2013 and has remained in the top spot since.

SplashData's annual list is intended to encourage use of stronger passwords, and is derived from five million user records containing passwords that were exposed throughout the year.

This year, "password" came second followed by "12345678" in third, "qwerty" in fourth, and "12345" in fifth spot. Other frequently appearing passwords in the list include terms such as  "letmein", "iloveyou", and "football".

A new entrant this year was "starwars". 

"Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars' is a dangerous password to use," SplashData CEO Morgan Slain said in a statement.

"Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words."

The security firm warned that use of any of the passwords in the top 100 list would put users at "grave risk of identity theft".

“Passwords like these are not only easily guessable, they're already in the password-cracking databases of any hacker worth his or her salt, alongside millions of other popular choices and dictionary words,” security researcher Graham Cluley said in an ESET blog post.

Attackers use the same leaked records analysed for the SplashData report - as well as common variations on the phrases - to build lists for brute force attacks on accounts. 

“This means that by adding "1" or any other character combinations at the start or end of basic terms, users aren't improving the security of their password," KnowBe4 CEO Stu Sjouwerman said in blog post.

SplashData recommended using passwords containing at least 12 characters that comprise different character types as well as upper and lowercase letters.

It also suggested using a different password for each online account - which, if difficult to remember, could be handled by a password manager.