Even with a zero, ‘Passw0rd’ is still a lousy password

Even if you switch out the “o” with a zero, “Passw0rd” is still not a secure password. But nonetheless it’s the 24th most popular one in the world, according to SplashData’s fifth annual analysis of stolen user-data dumped online.

Its entry onto the 2015 top 25 list for the first time is part of trend the company noticed last year of slightly longer and/or more complicated passwords. But, because they can easily be guessed by hackers, and are therefore vulnerable to so-called “dictionary decryption” attacks, “qwertyuiop” or “1234567890” (new entries at Nos. 22 and 12 on the list, respectively) aren’t any more secure than “qwerty” (up one to No. 4) or “12345” (down two to No. 5).

“We have seen an effort by many people to be more secure by adding characters to passwords,” said SplashData CEO Morgan Slain. “But if these longer passwords are based on simple patterns, they will put you in just as much risk” of being cracked by hackers.

If a website lacks simple security measures like a limit on the number of times the wrong password can be entered, hackers can use dictionary attacks directly on an account. But the technique is more commonly employed when a database of encrypted login data is stolen, and the hashed or encrypted passwords are recovered en masse. 

The technique relies on trying out possible passwords, which means that “Using common sports and pop culture terms is also a bad idea,” Slain added. He noted that “football” (up three to No. 7) and “baseball” (down two to No. 10) had essentially swapped places on the list, while “starwars,” (No. 25) “solo,” (No. 23) and “princess” (No. 21) were all new entries.