PC World in reporting on the 25 worst passwords of 2013. As it does every year, Splashdata, a security firm, has compiled a list of the most common passwords culled from stolen password lists. Everything is depressingly normal. All our favorites are still there. The major difference this year is that 123456 has replaced password as the most common password. The two just switched places so they’re still the top two.
The people using these passwords are undoubtedly the same people who don’t get what all the fuss over the NSA is about. The universe will, of course, punish their stupidity in due time. The problem is that many of us conscientiously doing the right thing will be collateral damage.
In case you’re wondering, the only responsible password policy for 2014 is to use a password manager that generates long random strings for passwords and to protect your password database with a master password made up of multiple random words à la Diceware. Anything else is certain to fall to the crackers no matter how clever you try to be.
And for goodness sake, if you’re a developer implementing password functionality, get rid of the stupid restrictions on password length and legal characters. There really is no excuse for those restrictions. None.