“123456” and “password” continue to be the most commonly used passwords, when will people learn?

Here is a list of the top 25 most common passwords of 2016.

Your policy may not allow weak passwords such as 123456 or password, but even if the password complexity requirement is enabled in the standard Windows Password Policy, users can still create insecure passwords such as such as Password123, Company2015, January1 and LetMeIn2015.

Microsoft MVP and software architect Troy Hunt famously said: “The only secure password is the one you can’t remember.” While it may be true, there are still things you can do to increase password security. Neal O’Farrell, executive director of The Identity Theft Council suggests that you use passphrases instead of passwords to create easy to remember but hard to hack passwords. A passphrase is a short sentence that’s easy for you to remember but that a hacker would have a very hard time guessing. He said “The phrase could be something like “I graduated from Notre Dame University on June 1st 2002.” Pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers. That would give you the following password: “IgfNDUoJ1st2002” That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack.”

With the new capability to support passphrases, Specops Password Policy gives administrators the flexibility to not force complexity requirements when a password is more than a minimum character length, for example 20 characters. When you allow users to create passwords like this, I like my n@w shiny car!!, it’s longer than any traditional password and it’s extremely easy to remember. Security is enhanced without compromising usability. To further strengthen your password policy, you can disallow user names, display names, incremental passwords and even the entire dictionary list.