SplashData Blog

January 19, 2016

SplashData’s Worst Passwords of 2015

We’ve announced our well known list of “Worst Passwords” for 2015 — check out the press release and see a cool infographic we created for this year.


February 1, 2015

SplashID 8 for Windows & Mac OS is here

SplashID 8 is now available in the shape of an all new Windows desktop app.

Here are some feature highlights:
- Enhanced UI that matches the web, iOS, and Android apps
- Single screen functionality with advanced list view
- Automated SplashID Backup for cloud users
- Powerful security dashboard to identify and fix weak, reused, & old passwords

Download the new apps today!


January 20, 2015

Our annual Worst Passwords list is out

"123456" Maintains the Top Spot on our Annual "Worst Passwords" List

The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.

Worst Passwords of 2014We announced our annual list of the 25 most common passwords found on the Internet – thus making them the "Worst Passwords" that will expose anybody to being hacked or having their identities stolen. In its fourth annual report, compiled from more than 3.3 million leaked passwords during the year, "123456"and "password" continue to hold the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include "qwerty," "dragon," and "football."

As in past years' lists, simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only.

Passwords appearing for the first time on SplashData's list include "696969" and "batman."

While Valentine's Day is less than a month away, "iloveyou" is one of the nine passwords from 2013 to fall off the 2014 list.

According to SplashData, the passwords evaluated for the 2014 list were mostly held by users in North America and Western Europe. In 2014, millions of passwords from Russian accounts were also leaked, but these passwords were not included in the analysis.

SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

"Passwords based on simple patterns on your keyboard remain popular despite how weak they are," said Morgan Slain, CEO of SplashData. "Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure."

For example, users should avoid a sequence such as "qwertyuiop," which is the top row of letters on a standard keyboard, or "1qaz2wsx" which comprises the first two 'columns' of numbers and letters on a keyboard.

Other tips from a review of this year's Worst Passwords List include:

- Don't use a favorite sport as your password – "baseball" and "football" are in top 10, and "hockey," "soccer" and "golfer" are in the top 100. Don't use a favorite team either, as "yankees," "eagles," "steelers," "rangers," and "lakers" are all in the top 100.

- Don't use your birthday or especially just your birth year -- 1989, 1990, 1991, and 1992 are all in the top 100.
While baby name books are popular for naming children, don't use them as sources for picking passwords. Common names such as "michael," "jennifer," "thomas," "jordan," "hunter," "michelle," "charlie," "andrew," and "daniel" are all in the top 50.

Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.
This is the first year that SplashData has collaborated on the list with Mark Burnett, online security expert and author of "Perfect Passwords" (http://www.xato.net).

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years," Burnett said. "The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

Slain says, "As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

Presenting SplashData's "Worst Passwords of 2014":

Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1

Here are three simple tips to be safer from hackers online:

1. Use passwords of eight characters or more with mixed types of characters.
2. Avoid using the same username/password combination for multiple websites.
3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.


November 13, 2014

SplashID 8 is live!

SplashID 8 is available now on iOS, Android, and the web!

Here are some feature highlights:
- Enhanced UI optimized for large high-res screens
- Single screen functionality with advanced list view
- Automated SplashID Backup for cloud users
- Powerful security dashboard to identify and fix weak, reused, & old passwords
- Deeper integration with web logins
- Add a credit card record using your device’s camera (Android & iOS)
- Touch ID login on iOS
- 2-factor authentication now over SMS

Download the new apps today!


July 3, 2014

You can't take it with you...

SplashID Safe got a mention in a great NY Times article on how to share your sensitive data with loved ones once you pass on. It's worth a read:

How to Digitally Avoid Taking It to the Grave


June 15, 2014

Sharing records is now easier and more secure than ever

Share securely

It used to be every time I needed to share a password with a colleague or family member, I'd feel a little uneasy. I didn't want to send it over email or text, where it would live indefinitely, so I would call and spell it out. Not anymore.

With the release of SplashID Safe version 7.2, Cloud Services users can now use the Share Securely feature, which sends encrypted files directly to recipients. A cool feature of Share Securely is that it identifies other SplashID Cloud Services subscribers and lets them know they have records to import the next time they login to SplashID. The records never go outside the system!

And what if you send the records to someone who doesn't use SplashID Safe? They will get a one-time web link to view the records that self-destructs after 24 hours or after viewing. Neat!

How do I use this feature?

To send a single record, click the Share Securely button under the record details in any version 7.2 or later client.

On the mobile app, you can also go to Settings > Share Securely, and select multiple records to share at once.

Enter the email address of the person you wish to share it with, set a password, and decide if you want to include that password in the email. To be even more secure, choose not to include the password, and let them know the password separately.

Who can use this feature?

Which platform(s) is it available on?

  • iOS, Android, Windows Phone, Windows, Mac, and Web

Hope you like Share Securely and our other new features in version 7.2. Thanks again for your dedication to good password management and your loyalty to SplashID Safe!


June 3, 2014

Protect yourself even more with 2-factor authentication

2-factor screenshot

With all the hacking, spying, and general lack of online security these days, it's good to know that SplashID Safe is protecting your logins and other sensitive records. But you can never be too safe, so we're raising to bar with 2-Factor Authentication to protect you against unauthorized access of your SplashID data, even if someone discovers your username and password.

With the release of SplashID Safe version 7.2, Cloud Services users can now enable 2-Factor Authentication, which will require you to enter an authorization code received via email when attempting to login on a new computer, device, or browser. You may have seen this kind of authentication for your online banking applications, and we felt SplashID Safe deserved the same level of protection.

How do I use this feature?

Login to your SplashID Cloud Services account on your desktop web browser.

Then click the Settings tab on the left, then click 2-Factor Authentication.

Check the box next to "Enable 2-Factor Authentication" and click Save.

Next time you log in to SplashID Safe from a new browser, desktop, tablet or phone, you will be required to enter a 6-digit code, which you'll receive via email.

Once you enter the code, you won't be asked for the code again on that browser or device. If you want to authorize access on a new browser or device, you will need another authorization code sent.

Who can use this feature?

Which platform(s) is it available on?

  • iOS, Android, Windows Phone, Windows, Mac, and Web

Hope you like 2-factor authentication and our other new features in version 7.2. Thanks again for your dedication to good password management and your loyalty to SplashID Safe!


April 25, 2014

SplashID Safe is not affected by Heartbleed!

Heartbleed

Since SplashID Cloud Services is run on Microsoft IIS servers, and not Linux or Unix servers, it does not employ the Open SSL library that contains the Heartbleed vulnerability.

That said, this is a widely used library that will affect many of the websites you login to, and this vulnerability has existed for some time, so we recommend that you change passwords on all sensitive sites at this time to be safe.

You can use the password generator feature in SplashID Safe to generate strong passwords and save them in your SplashID records for easy (and secure!) recall.

More info on Heartbleed: http://heartbleed.com


April 1, 2014

 

Get the best of both worlds with our new Local Only feature

Local Only


If you're like us, you love the convenience of using Cloud Services to access your SplashID records anytime without worrying about sync or backups, but there may be some especially sensitive records (perhaps bank accounts or family social security numbers) that despite all the security measures you'd still prefer to keep stored only locally on your desktop.

With the release of SplashID Safe version 7.2, Cloud Services users can now designate any record in SplashID Safe as Local Only. This means the record stays local on the device selected and does not sync to the cloud server. If the selected record is already on the web app or on any other devices running SplashID Safe, it will get deleted from those apps. At any point, you can undo the Local Only setting, and the record will sync back to the cloud server and appear on all your devices.

How do I use this feature?

iOS: Tap a record. In the bottom toolbar, tap on "Make local." This change saves automatically. You can change it back by tapping "Sync to Cloud."

Android: Tap a record, then tap the edit button. Scroll down and set "Local Only Record" to ON. Save.

Windows Phone: Tap on a record, and tap to edit. Scroll down, and check the box for "Local Only." Save.

Windows: Double click on a record to view the edit screen, and check the box for "Local Only." Save.

Mac: Double click on a record to view the edit screen, and check the box for "Local Only." Save.

Who can use this feature?

SplashID Cloud Services users

Which platform(s) is it available on?

iOS, Android, Windows Phone, Windows, Mac


April 12, 2014

Track Down Zombie Accounts

This blogger mentions SplashID Safe as a tool to use in the fight to protect your online identity. Old so-called "Zombie Accounts" are one risk to keep in mind. You need to be vigilant in order to track all the user accounts you create online and make sure they don't come back to haunt you.

http://nixonvs.com/zombie-accounts/


January 17, 2014

"Password" unseated by "123456" on our annual "Worst Passwords" list

The 2013 list of worst passwords, influenced by postings from the Adobe breach, demonstrates the importance of not basing passwords on the application or website being accessed

Here's our annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, "password" has lost its title as the most common and therefore Worst Password, and two-time runner-up "123456" took the dubious honor. "Password" fell to #2.

According to SplashData, this year's list was influenced by the large number of passwords from Adobe users posted online by security consulting firm Stricture Consulting Group following Adobe's well publicized security breach.

"Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," says Morgan Slain, CEO of SplashData.

SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include "qwerty," "abc123," "111111," and "iloveyou."

"Another interesting aspect of this year's list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies," Slain said. For example, new to this year's list are simple and easily guessable passwords like "1234" at #16, "12345" at #20, and "000000" at #25.

SplashData, provider of the SplashID Safe line of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords. "As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

Presenting SplashData's "Worst Passwords of 2013":

Rank
Password
Change from 2012
1
123456
Up 1
2
password
Down 1
3
12345678
Unchanged
4
qwerty
Up 1
5
abc123
Down 1
6
123456789
New
7
111111
Up 2
8
1234567
Up 5
9
iloveyou
Up 2
10
adobe123
New
11
123123
Up 5
12
sunshine
Up 2
13
1234567890
New
14
letmein
Down 7
15
photoshop
New
16
1234
New
17
monkey
Down 11
18
shadow
Unchanged
19
sunshine
Down 5
20
12345
New
21
password1
Up 4
22
princess
New
23
azerty
New
24
trustno1
Down 12
25
000000
New

SplashData's top 25 list was compiled from files containing millions of stolen passwords posted online during the previous year. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

We suggest making passwords more secure with these tips:

Use passwords of eight characters or more with mixed types of characters. But even passwords with common substitutions like "dr4mat1c" can be vulnerable to attackers' increasingly sophisticated technology, and random combinations like "j%7K&yPx$" can be difficult to remember. One way to create more secure passwords that are easy to recall is to use passphrases -- short words with spaces or other characters separating them. It's best to use random words rather than common phrases. For example, "cakes years birthday" or "smiles_light_skip?"

Avoid using the same username/password combination for multiple websites.  Especially risky is using the same password for entertainment sites that you do for online email, social networking, or financial service sites. Use different passwords for each new website or service you sign up for.

Having trouble remembering all those different strong passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. There are numerous applications available, but choose one with a strong track record of reliability and security like SplashID Safe, which has a 10 year history and over 1 million users. SplashID Safe has versions available for Windows and Mac as well as smartphones and tablet devices.

 

About SplashData

SplashData has been a leading provider of security applications and services for over 10 years. The company's secure password and record management solution SplashID Safe has over 1 million individual users worldwide as well as hundreds of business and enterprise clients. SplashData was founded in 2000 and is based in Los Gatos, CA.

Contact us