By Michael Lasky
These past two years have been particularly devastating for data security, with a number of well publicized hacks, attacks, ransoms, and even extortion attempts. Millions of records have been stolen. Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information,” Slain notes.
Here are the top 25 most-hacked passwords, by rank, password and whether or not their position on the chart has changed from 2016. You’ll note that numbers one and two are still reigning champs.
Presenting SplashData’s “Worst Passwords of 2017”:
1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)
And yours truly must confess to having tweaked a ridiculously simple password in the naïve belief that I was making it “more secure.” This password, which I no longer use, is #19 on the worst list: passw0rd.
Yeah, I figured – and so apparently did thousands of others—that by changing the letter O in password to a zero would make it foolproof. (There is no proof to that assumption, and I apparently was the fool. Pun intended.)
So how did SplashData determine the worst passwords? It evaluated over five million leaked passwords and looked for patterns.
The company estimates that almost 10% of people have used at least one of the 25 worst passwords on this year’s list. When it drilled down to particular passwords, about 3% have used the worst password, 123456.
Although only the top 25 worst passwords are highlighted, there is a full list of Top 100 Worst Passwords 2017 and it can be found here.
Tips on Transforming Bad Passwords into Good Ones
It’s all well and good that SplashData compiles the annual worst password lists which shows off our bad habits, but do they have any advice to change our password behavior?
The company’s security experts do offer three tips to safer passwords:
- Use passphrases of 12 characters or more mixed with upper and lower case and letters and numbers.
- Use different passwords for each of your website logins. This is essential because if a hacker gets one password they will try using it to access other sites.
- Use a password manager to organize passwords, generate random ones, and automatically log into websites. While the worst passwords list may seem a tad self-serving since SplashID, Gpass and TeamsID are SplashData’s password management apps, there are now a slew of other similar apps as well (see below) and using a password manager is justifiably good advice – and offers convenience to you as well.
Wait a minute: 12 character passwords? That’s seem a bit much and if that’s the route we have to take to be safe, then password managers would seem to be essential since they automatically login to websites instead of us manually typing in 12 characters.
And, yes, with the unnerving prospect of 12 character passphrases or all the different shorter ones at all the sites we visit, there are also a few password tricks for the memory-limited to even get around to signing on to password managers. But first …
A Quick Guide to Password Managers
As Lance Whitney pointed out last March, “Password managers may not be the perfect solution, but they’re far better than the alternative of using simple passwords or using the same password at every website. Until the industry is able to offer a truly superior and secure website login method, password managers are your best bet”.
His review of the pros and cons of password managers covers four of the most popular apps, Dashlane, LastPass, 1Password, and RoboForm. Add to this the aforementioned SplashID. While they all will automatically login to sites you visit, each has a host of extra features such as saving credit card information and handling form filling such as addresses, phone numbers, and other personal data. All are locked with one master password (the only one you have to remember so write it down just in case).
I have been devoted to LastPass for years on my PC and mobile devices, loading it in each of the browsers I use as an extension or plug-in.
If you are hesitant to sign on to yet another browser add-on, check out my August 1, 2017 coverage of Windows 10 password alternatives [link] which includes fingerprints, facial recognition, and for touchscreens, pattern drawing in lieu of a password.
Another Way to Create Easy to Remember Passwords
Speaking of patterns, here is a method for devising different passwords for each site you visit that are easier to remember. Create a boilerplate phrase of 10 lower and up case letters. You will use this as the beginning of each passphrase. Then as you visit a website which requires a login, enter your boilerplate phrase and add three or four characters unique to that site perhaps using the characters in the site’s name.
For example, say you are entering an account at bookstore.com. You would enter your boilerplate phrase such as Sample$Coin as the beginning of your password for this site and add the extra mnemonic three or four characters unique for this site, such as BooK. So the password for bookstore.com would be Sample$CoinBook. Accordingly the only part of the password unique for this site would be the Book.
At Amazon.com it might change to Sample$CoinAmaZ or sometime like that. All you would need to remember if the AmaZ part since the boilerplate beginning stays the same. Of course if you then use a password manager it will remember each of these and auto log you in after the first instance.
While this method might seemingly contradict the rule for not using the same or altered passphrase at each site, the combination of the boilerplate and the additional characters unique to each site, especially with adding upper and lowercase and special symbol characters, should keep the hackers guessing ad infinitum.
Of course for banking and health account enabling two-factor authentication, as Google does for its accounts, is the safest routine. You enter your password and then receive a text or voice message with an instant one-time code to get connected. Text is best for cellphones and voice for landlines.
To end with a laugh, I love repeating the advice offered by Mad Magazine. How about making your password Password Incorrect. If anyone tried to break into your account they will keep getting a Password Incorrect message.
I offer, for your consideration, Number 87 in the Perry Index of Aesop’s Fables. Not a fan? I bet you are. We know it as “The Goose Who Laid the Golden Eggs”.
The story tells us of a certain man and his wife who had come into possession of an amazing creature, a goose who could lay an egg each day. Unlike other geese, this particular goose’s eggs were made of gold. Each day, the couple would gather another golden egg. In the fullness of time, they became so overcome with avarice that their impatience with the single-egg-per-day rate led them to kill the goose, carving up the bird for what they thought would be a greater wealth of unlaid gold within. We know the story. It’s been part of our culture for many years. So, other than my latter-day wish to make up for my misspent literary-youth, why would we care?
Consider that, for several years, the transportation industry, and the trucking segment in particular, has been watching as certain metrics tell a tale of the growing truck driver shortage in this country. As this shortage increases, there will undoubtedly be ripple effects throughout the economy3. For those who deal with this issue head-on, the pressures of filling trucks with qualified drivers, meeting the demands of home-time, pay, and benefits, while also providing the allures of travel, control of the work, and not having to punch a clock are a constant balancing act.
Enter economics, and the pesky need of a company to turn a profit, and the whole driver-recruitment mess begins to resemble more a shark feeding frenzy than anything else.
For many in the industry, it has become increasing more difficult to entice new driver applicants because the romance of the open road cannot compare to the hassles of a lifestyle which requires families to be separated for long periods of time.
Over the decades, trucking-writ-large has taken the easiest path, trying to maintain the relationships with shippers at the expense of their relationships with their drivers. Until the Hours of Service (HOS) changes in 2011, and even beyond when electronic logging devices came into being, it was not unusual for some motor carriers to push drivers to meet at-times unrealistic, even illegal shipper-service requirements by instructing the driver to “Just get it there!” The driver would have been tempted to sacrifice safety on the altar of making a buck! This was not fair to the driver, the motor carriers, or even the shippers, as eventually this system was going to be untenable – and indeed it necessitated the HOS rewrite and introduction of newer technology.
One serious issue that is beginning to come to the fore, however, is that shippers are seeing the results of letting truck drivers carry the pressure for what ought to have been a combined motor carrier/shipper conversation. As shippers turned a blind-eye to safe and legal hauling – “hauling the freight” being what was felt to be the responsibility of the trucking companies alone – the once-prized trucking lifestyle of seeing the open road, and having a level of freedom that most industries cannot offer began to quickly pale.
Trucking over the past years has lost its allure, and it has become very difficult for motor carriers to attract and keep safe, qualified drivers. A younger generation of prospects looking at truck driving as a potential career sees that truck driver wages, when accounting for inflation, have not appreciably increased over the last several decades. “Who in their right mind,” they ask, “would put up with making no more money for so long?” It’s a question that shippers have not been forced to ponder, possibly believing that it isn’t their problem, or concern. They continue to ignore it at their own peril.
Further, there is a patchwork of concerns which tend to work against directly addressing the driver shortage. For one, the industry, and its stakeholders, have a built-in morale problem. States allow an applicant to obtain a commercial driver license (CDL) and drive across state lines when the applicant turns 21 years of age. Insurance requirements, however, roundly refuse to provide coverage until the driver turns 23. We do not see a large group of young people patiently waiting until they turn 23 to hire on to a trucking company, or buy their own truck as an independent contractor. Life happens while we’re waiting for something better – so those young people will pursue other employment.
If it doesn’t work out, the trucking industry may then be able to attract them as drivers. The harm, however, is that, by the time applicants qualify for insurance, or large motor carriers are willing to take a chance on them, they have already failed in at least one other career option. In casual conversations among industry professionals, we often hear how the current group of drivers “Isn’t the same quality” as in previous years. Is it any wonder? We beg for new drivers, but we tell applicants not to apply until they fail in something else first. Then we decry the poor morale or attitude of “kids these days”.
So, all of that seems like an internecine fight within trucking. Shippers should be able to stand outside the fray like they always have, right? Well, let’s reconsider our pal, the aforementioned goose. She labors away, giving up a wealth in golden eggs. She gives-and-gives-and-gives, and the man and his wife just take-and-take-and-take. Consider, shippers make a variety of amazing things. The ability to create new goods is, by any stretch of the imagination, almost miraculous. How, though, do shippers intend to get their products to market? We have seen the studies which show that 70% of all goods are transported on trucks. The importance of a safe and secure supply-chain is no longer at issue, but care for the truck driver isn’t just a trucking company issue.
What can make this the shippers’ failure is if the shippers don’t realize that the basic conditions have changed. Thanks to in-cab technology which allows for electronic logging devices, a move roundly favored by industry leaders, gone are the days when a driver is tempted to “just get it there”. Shippers can no longer hide behind the motor carrier, pointing fingers at trucking companies when there are service failures, accidents, or violations due to breaking HOS regulations. For generations, the goose (driver pool) has been slowly strangled because the man and his wife (shippers) wanted more and more gold (profits).
If shippers refuse to see how the driver shortage (smaller pool of available drivers), technological limitations (ELDs and the clear and objective record of the driver’s duty status and available driving hours), and wage stagnation have killed the goose, they will not have shipping capacity to move their goods to market. Unlike Aesop, though, our goose doesn’t need to stay dead. It is within our own grasp to effect the necessary changes which can reach everyone’s goals:
- Regulatory/insurance: Although the current flood of exciting technologies which could improve efficiencies (vehicle platooning, “driverless” trucks {DLVs}, etc.) is sexy, and garners attention, we are not taking full advantage of graduated CDLs, or communicating the need with insurance partners to allow for the introduction of younger truck driver professionals.
- Motor carriers: Wage stagnation must be addressed. Many trucking companies are reviewing this topic, but for those who aren’t, this is a wage-fairness issue. When a current driver makes no more money than did his father in the same job, carriers cannot hide behind supplements. In-cab television, more amenities, or other comfort-items do not pay the bills for the trucker and his/her family. Don’t forget comfort upgrades when providing an improving wage, but don’t fall into the trap of thinking that anything else replaces pay.
- Shippers: The current driver shortage cannot be seen as “trucking’s problem”. It isn’t a situation which exists in isolation. As driver wages must improve, as other technologies come on-line (the afore-mentioned platooning or DLVs), these will need financing. Trucking is a very low-margin business. Shippers ought not be expected to open the purse strings and be taken advantage of, however, but when shippers’ personnel fight against driver wage increases, one must ask whether we are being intellectually honest in the broader discussion. Of course, customers do not like paying more for goods (open disclosure: my family and I do not look forward to any inflationary pressures or higher prices), but shippers cannot hide themselves from being included in the conversation, especially if it is their hands around the goose’s neck.
Each stakeholder has some responsibility. No one part created the condition in which trucking finds itself. No one part can solve it on its own. It is incumbent upon each part to be an honest actor, working together to address the problems. The real-world will continue; trucking will likely remain a low-margin industry, shippers will continue to negotiate rates, even aggressively, but if the driver’s needs were to also be a central part of that discussion, since it is the driver who accomplishes the actual work anyway, there could be a “trickle-UP” economy which benefits those upstream.
Gone are the days when shippers can pass along responsibility to motor carriers, who in turn pass-along the pressure for performance to truck drivers. That does nothing more than blame the goose for being such a poor provider in the first place.
Steve Bredigkeit, CDS
Director, Boyd Brothers Transportation, Inc.
Birmingham, AL
