Each year for the past several years the password-management-software firm, SplashData, has released a list of the most common passwords found in data dumps leaked online of passwords stolen during the past year. The list for 2015 reveals a lot about how people pick passwords, and provides a wake up call for people working in information security departments – including those studying for certification exams – as to how much training and education is needed when it comes to passwords, how badly the world needs better designed and implemented password policies, and how strongly many organizations need technology to enforce such policies.

Here is the list of the most common 25 passwords of 2015 as found in the various lists of passwords that leaked online after from breaches:

1. 123456 (Unchanged since 2014)
2. password (Unchanged since 2014)
3. 12345678 (Up 1 spot since 2014)
4. qwerty (Up 1 spot since 2014)
5. 12345 (Down 2 spots since 2014)
6. 123456789 (Unchanged since 2014)
7. football (Up 3 spots since 2014)
8. 1234 (Down 1 spot since 2014)
9. 1234567 (Up 2 spots since 2014)
10. baseball (Down 2 spots since 2014)
11. welcome (New)
12. 1234567890 (New)
13. abc123 (Up 1 spot since 2014)
14. 111111 (Up 1 spot since 2014)
15. 1qaz2wsx (New)
16. dragon (Down 7 spots since 2014
17. master (Up 2 spots since 2014)
18. monkey (Down 6 spots since 2014)
19. letmein (Down 6 spots since 2014)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New)

I analyzed the list in detail in a piece that appeared in Inc. this past week. But in addition to the specific analysis that I provided for a general audience in that article, there are some important points of which people studying for certification exams should take a special note:

  1. Policies can be worthless if you do not utilize technology to enforce the policies. By now, policies pretty much everywhere prohibit using passwords like “123456” and “password” – but those two, weak passwords are apparently still the most common two passwords in use.
  1. People make the same mistakes over and over. It does not matter how many times you tell them not to use the password “password,” it does not matter how many times using the password “password” has been mocked in the media, and it does not matter how many times accounts with password “password” have been breached by criminals in the past. “Password” is an easy password to remember, and people just don’t care. It is your job as a security professional to ensure security even when people don’t care -- and, in many cases, to help make them care.
  1. Beware pop culture trends – In 2015 "solo" and "star wars" became popular passwords due to the release of the new Star Wars movie. There will be other trending topics in 2016 – and there will be plenty of attempts at creating weak passwords based on them as a result. Make sure to educate people accordingly – and to implement technology to prevent problems.
  1. Don’t react to poor passwords by creating policies that cause other password problems. Requirements for longer passwords might have caused “1234567890” to enter the list of top passwords for the first time this year – but that password is hardly strong. I have written several pieces about setting up proper password policies and selecting proper passwords. Do not demand that people use overly complex passwords for systems that do not warrant them, and do not require people to create passwords that few people can possibly remember. Remember, if you make security difficult for people they will resent you – which can lead to security problems as well.

Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!

Duration and Fees for Our Online Cyber Security Training

Cyber Security training programs usually last from a few weeks to several months, with fees varying depending on the program and institution

Program NameDurationFees
Executive Certificate Program in Cybersecurity

Cohort Starts: 28 Nov, 2024

7 months$ 2,499
Professional Certificate Program in Cybersecurity

Cohort Starts: 4 Dec, 2024

20 weeks$ 3,500
Caltech Cybersecurity Bootcamp

Cohort Starts: 13 Jan, 2025

6 Months$ 8,000
Cyber Security Expert Masters Program4 months$ 2,599

Learn from Industry Experts with free Masterclasses

  • The Future of Ethical Hacking: New Tools, Techniques, and Trends

    Cyber Security

    The Future of Ethical Hacking: New Tools, Techniques, and Trends

    18th Sep, Wednesday9:00 PM IST
  • CEH vs. CISSP vs CompTIA Security+: Which Certification is Right for Your Career?

    Cyber Security

    CEH vs. CISSP vs CompTIA Security+: Which Certification is Right for Your Career?

    11th Jul, Thursday9:00 PM IST
  • Bad, Good, and Best Password Practices: Preventing Dictionary-Based Attacks.

    Cyber Security

    Bad, Good, and Best Password Practices: Preventing Dictionary-Based Attacks.

    29th May, Wednesday7:00 PM IST
prevNext