Our passwords are bad, and we should feel bad about it: Every year, SplashData releases a list of the most popular passwords discovered in data breaches released online over the past 12 months. And this year, “123456” and “password” topped this list.
Just like last year. And the year before that.
Other popular choices this year were sports, like “football” and “baseball.” And “starwars,” a newcomer to the list, ranked as the 25th most popular breached password, probably thanks to excitement over the release of the newest movie in the franchise.
Passwords are the banes of our increasingly online lives: Nearly everything we sign up for needs a password, and creating a secure one can be a pain. Even when we come up with a good one, we always need more because reusing passwords can leave us exposed if a service we use gets breached.
To try to stay secure we are left relying on password management tools that sometimes get breached themselves, or juggling an almost ridiculous rotation of hard-to-remember passwords, or using a random string of characters we expect to reset the next time we log in.
Unless, that is, they just give up and use comically easy-to-guess passwords.
This password paradox is why tech companies like Google, Apple and Yahoo are trying to find ways to replace passwords. Apple, for instance, includes fingerprint scanners in its new iPhones. And Google and Yahoo have been experimenting with ways that let people use their mobile phone to prove their identity without a password.
Unfortunately, these alternatives can come with their own drawbacks: You leave your fingerprints on pretty much everything you touch, and some researchers have even found way to fake fingerprints from high definition photos. And using just your mobile phone may leave you at risk if you lose it.
For now, at least, consumers are probably best off trying trying to remember strong, unique passwords for important services and turning on two-factor authentication, a system where they have to go through another step to confirm their identity when they log in — usually entering a code that’s texted to their phone.
There’s a good list of what services offer this protection. The extra step may feel frustrating, but it’s a lot less work than having to recover from a breached account.