Are Weak Passwords the Biggest Threat to Data Security and Privacy?

People have gotten a little smarter about making passwords longer. But they continue to rely on passwords that can be easily broken, leading to data theft. That’s according to the latest annual password study from SplashData.

The report, “Worst Passwords of 2015,” is based on a review of more than two million passwords that were leaked in the last year, primarily from users in North America and Europe.

The report did not reveal a great deal of new trends in password creation. “123456” and “password” remained the most popular passwords, retaining their positions from last year.

SplashData reports, however, that users are now creating slightly longer passwords. “1234567890” and “qwertyuiop” debuted on the list of the top twenty-five most common passwords in this year’s report.

Of course, as SplashData notes, those passwords are simply slightly longer variations on the same theme of easily guessable passwords. They’re essentially no harder for an attacker to break than shorter passwords.

To implement truly secure passwords, the company encourages users to deploy password management software like the kind it sells. That’s one solution.

Barring that, users can at least create passwords that are sufficiently random not to appear on lists of words or other strings that attackers use to break passwords via what is usually called a dictionary attack.

The other way to break passwords is to rely on brute force. That means cycling through all possible combinations of characters until a password is found. That method only works well with passwords that are under about eight characters, however — so longer passwords cannot effectively be brute-forced.

Of course, the bigger question might be whether poor password practices on the part of users are still the greatest threat to data privacy. Many of the big breaches that have made headlines in recent years have involved attackers breaking into vast data caches on servers, not stealing individual account information by obtaining users’ passwords. We can blame lazy users for creating passwords like “password” — or we can force them to create longer, more secure passwords filled with random characters, which they are likely to forget — but that won’t solve today’s biggest data security challenges.