Password manager and digital vault firm Keeper Security has revealed the most common passwords of 2016, and they're embarrassingly lazy and awful. After scouring 10 million passwords that became public through the numerous massive data breaches that occurred in the past year, the Keeper team found that people are still relying on simple, easy-to-remember strings of characters to secure their online accounts and digital identity.
"We couldn't stop shaking our heads," Keeper wrote in a blog post on Friday. "What really perplexed us is that so many website operators are not enforcing security best practices."
The firm noted that the list of most commonly used passwords have not changed much over the past few years indicating that "user education has limits".
"While it's important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves," they wrote. "IT administrators and website operators must do the job for them."
Like in 2015, the most commonly used password of 2016 was "123456", which was used by nearly one in five users. Other popular passwords included easy-to-crack, overused strings such as "123456789," "qwerty," "11111" and, of course, "password."
Keeper also notes that four of the top 10 passwords of 2016 and seven of the top 15 were all six characters or shorter.
"This is stunning in light of the fact that... today's brute-force cracking software and hardware can unscramble those passwords in seconds," the firm said. "Website operators that permit such flimsy protection are either reckless or lazy."
While some popular passwords such as "1q2w3e4r" and "123qwe" suggests that some users do attempt to use unpredictable patterns and character strings to secure their online accounts, Keeper dubs these efforts "weak at best".
"Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds," Keeper said.
Also present on the list was the "seemingly random" password choices "18atcskd2w" and "3rjs1la7qe," which security expert Graham Cluley believes were created by bots created to post and spread spam on online forums.
"If a user forum does not have strong measures in place to verify that an account is being registered by a living, breathing human being, it's relatively trivial for someone with mischievous intent to write a program that creates multiple accounts for the purposes of spreading spammy messages or malicious links," he wrote last year.
"We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it's in the user's best interests to do so," Darren Guccione, CEO and co-founder of Keeper Security, said. "But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list makes it clear that many still don't bother.
"While it's important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them".
Here are the 25 most common passwords of 2016, according to Keeper Security: