Top websites keep letting people use weak passwords like 111111, and it’s a major security risk

Fun fact: Five of the top 7 most common passwords revealed in 2019 data breaches are variations on “123456789.” And you can blame high-traffic websites for allowing this idiocy to carry on.

Researchers from the University of Plymouth assessed the password meters most commonly embedded in popular sites such as Reddit and Dropbox. They pumped passwords such as “password” and “iloveyou” into 16 meters. While some meters performed well, three meters rated “Password1” as “strong.” You see the problem. Eighty percent of hacking-related breaches involve stolen or weak passwords, according to Verizon’s 2019 Data Breach Investigations Report.

Researcher Steve Furnell, a professor of information security and head of the Centre for Security at the University of Plymouth, said in the study that over the holidays, “hundreds of millions of people will receive technology presents” and will inevitably password their new accounts with “qwerty” and “123123.” He points out that industry password-security efforts focus on replacing passwords consistently—efforts that are moot if the new passwords are “princess” and “dragon.”

Furnell’s earlier work has found that despite the rise of cyberattacks, most of the top 10 trafficked websites have not improved their password guidance in the past decade. He encourages companies such as Amazon and LinkedIn to provide users with straightforward recommendations. Like, you know, putting the kibosh on seven sevens as a password.