Skip to main content

Wookie mistake: ‘starwars’ is now one of the world’s 25 worst passwords

splashdata worst passwords 2015
New year, same bad passwords. Despite growing concerns over cybersecurity (or really, the lack thereof), it looks like the majority of us still haven’t learned our lesson. SplashData has just released its fifth annual list of the 25 worst passwords, and it looks like 365 days and a far greater number of security breaches did little to improve our password strength. The comprehensive list was compiled with information from more than two million leaked passwords over the course of 2015, and came mostly from users in North America and Western Europe. And yes, really, “123456” still holds the number-one spot.

The two most popular passwords, “123456” and “password,” have maintained their positions at the top of the list for the second consecutive year. In fact, of the list of 25, seven are just a combination of consecutive numbers. Other predictable suspects include “qwerty,” “welcome,” “letmein,” and “login,” but a few newcomers also appeared on the scene. With the much anticipated recent release of Star Wars: The Force Awakens, several people seemed to take inspiration from a galaxy far, far away to protect their data. The words “solo,” “princess,” and “starwars” all made appearances on the list.

Related Videos

And as for the sports fans of the world, football and baseball were both in the top 10, though “basketball” missed the cut altogether.

And even if you think you’re being clever by using a common password but just replacing a letter (like “passw0rd” instead of “password”), it turns out many others have had the same thought — just goes to show that we’re all more alike than we think.

Check out the full list of the 25 worst (and most common) passwords of 2015 below. And please, if you use one of them, do yourself a favor and change it now.

25 worst passwords of 2015

1. 123456 6. 123456789 11. welcome 16. dragon 21. princess
2. password  7. football 12. 1234567890 17. master 22. qwertyuiop
3. 12345678  8. 1234  13. abc123 18. monkey 23. solo
4. qwerty  9. 1234567 14. 111111 19. letmein 24. passw0rd
5. 12345 10. baseball 15. 1qaz2wsx 20. login 25. starwars

Editors' Recommendations

Chrome now supports the new password-free login standard
Force Block

Although Google's Chrome browser already enabled "password-free" logins by supporting the FIDO (Fast IDentity Online) U2F standard, the latest desktop version hitting the stable channel this week, Chrome 67, now includes support for the new WebAuthn standard. But don't worry: If you previously used physical security keys to log into Facebook and Google, they won't need a replacement given WebAuthn is backward compatible. 
If you're not sure as to what all this means, websites, browser developers, device manufacturers, and the FIDO Alliance have been working together to eliminate passwords since 2014. The platform relies on cryptographic keys thus login credentials are never stored on your device or on the servers hosting your favorite service. 
The first FIDO standard arrived in December 2014 followed by FIDO U2F in June 2015 and FIDO2 in April 2018. The first two standards rely on secondary devices, like Yubico's Security Key and YubiKey NEO USB-based devices, to create these cryptographic keys. Other supported technologies include Bluetooth, Near Field Communication (NFC), and biometrics. The alliance began working with the World Wide Web Consortium to create a client-side standard called WebAuthn in early 2016. 
The idea behind WebAuthn is to bring the cryptographic key creation and exchange directly to the browser. Prior to WebAuthn support, logins rely on passwords even though you don't need to enter credentials each time you log onto a service: Physical security keys and biomeetric devices merely "authenticate" those credentials. But with WebAuthn support in place, you sign into an account only with a username: No password is required.
"In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely," a representative from Yubico told Digital Trends. "WebAuthn has also been blessed by the W3C, which means that all major web browsers are engaged to add support."
Based on the current demo, you still need some form of physical "security token" like Yubico's products or hardware supporting facial recognition and fingerprint scanning. As the demo shows, you can create an account without the need to submit a password, but the demo requires access to a physical key or connected biometric device. WebAuthn will eventually support biometrics on mobile devices, too. 
The big takeaway here is that a password-free internet is becoming more mainstream. This method protects WebAuthn-compliant accounts from server-side hacks, on-device malware, and hackers tapping into your internet connection. Firefox 60 introduced WebAdmn support in early May while the mainstream version of Microsoft Edge will include support in the next several months. 
Outside the new WebAuthn component, Chrome 67 includes a new Generic Sensor application programming interface (API). This enables the browser to support accelerometers, gyroscopes, orientation and motion sensors in web-based applications. For instance, a web app within Chrome can now detect movement speed if the parent device contains an accelerometer. 
Chrome 67 also now includes the WebXR Device API (aka web extended reality). According to Google, this feature will provide unified augmented and virtual reality experiences across desktop and mobile spanning from the smartphone-based Samsung Gear VR to the HTC Vive and Windows Mixed Reality headsets. The new API is available as an "origin trial," Google states, and supports home shopping, art, immersive 360-degree videos, data visualization, traditional 2D and 3D videos presented in immersive surroundings, and games. 
Other features in the latest version of Chrome include the ability for web pages to process mouse events to disable the back and forward mouse buttons in web-based games. On Windows, the right-hand ALT key now serves as AltGraph on some layouts. The list goes on regarding SVG, DOM, custom elements in HTML, and more developer-centric details. 

Read more
Report shows many web surfers are still using ‘123456’ as their password
A password screen with an indecipherable password inputted.

For some reason, many web surfers accessing the internet don’t appear to be listening. Despite warnings by experts and countless reports of hacking, identity theft, online fraud, and more, there are people still using “123456” as a password. That simple sequence of numbers reigns king on the new top 100 worst passwords list of 2017.

According to numbers provided by SplashData, the use of “123456” as the No. 1 bad password hasn’t changed in years. The firm provides its list of the top 100 worst passwords each year, and shows that “123456” officially unseated “password” from the top spot in 2013. Since then, 123456 remains at the top of the list followed by “password” and several other common words and numbers.

Read more
Password manager Dashlane now integrates with Intel SGX for hardware security
dashlane intel sgx 4  security dashboard

Password manager Dashlane has announced a new partnership with Intel that will see Dashlane use Intel’s SGX for added hardware-based security.

According to the company, the collaboration allows users to “seal” their data to their devices to avoid tampering.

Read more