Matthew HughesFormer TNW Reporter
Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.
One of the most basic things you can do to protect yourself online is to use strong, complex, and distinct passwords. But a recent study of 61 million leaked passwords from Virginia Tech and Dashlane proves we’re still failing to do this.
Virginia Tech Computer Science academic Professor Gang Wang provided Dashlane with an anonymized sample of passwords. These were obtained as part of a research project at the university, which looks into password reuse and modification patterns.
Dashlane researchers then found several common (and pervasive) bad habits. One common faux pas is called “password walking,” which is where you use letters, numbers, and special characters that are adjacent to each other on the keyboard.
Two examples of this are qwerty and 123456, which we can all agree are awful password practices. In fact, many sites proactively refuse to allow users to create accounts with these passwords.
But Dashlane found several permutations of the above appeared in the database with a startling frequency. Examples of this are 1q2w3e4r or 1qaz2wsx.
While these would likely adhere to a site’s password policy, in practice they’re easy to guess, and would be easy to discern by someone shoulder surfing.
Dashlane also observed a couple of other interesting passwords habits. It turns out people are weirdly passionate when their text is obscured with asterisks, as iloveyou, fuckyou and asshole were all popular choices.
People also have a strange propensity to name brands, popular culture figures, and football teams in their passwords.
When it comes to brands, myspace and linkedin were the number one and three choices respectively. A possible explanation for this posited by Dashlane is that both websites suffered catastrophic breaches in recent years. Data from these breaches found their way into the Virginia Tech dataset.
It’s entirely plausible that many users of MySpace and LinkedIn, rather than create a password that was distinct and personal to them, instead chose to merely use the name of the site they were on. Yikes.
In popular culture, superman, pokemon, and slipknot were the top three password choices. The beautiful game also inspired some password choices, with liverpool, chelsea, and arsenal all popular.
You can read the Virginia Tech study here. And while poor security practice is seemingly eternal, you can take comfort in the fact that it’s getting easier to mitigate against. Things like two-factor authentication (2FA) are increasingly popular, and take the edge off passwords as heinous as iloveyou.
Get the TNW newsletter
Get the most important tech news in your inbox each week.