The top 20 admin passwords will have you facepalming hard

“Choose a combination of letters, numbers, special characters and cases.” “Don’t reuse passwords for multiple accounts.” “Set a password that you haven’t used before.”

Everyone has seen these types of messages and enterprises are constantly reiterating them. 

Nobody likes passwords (they can seem like a chore) and people can tend to cut corners and be careless — admins included.

In fact, according to recent research from cybersecurity company Outpost24, the top password system administrators use is, yes, alarmingly, “admin” followed by others that are amazingly easy to guess or simply the default from initial setup and login. 

“With our personal and work life now being more and more online, we really need to change our approach when it comes to passwords,” Darren James, senior product manager at Outpost24, told VentureBeat. “Using the same, easy to guess, short passwords across multiple systems makes it simple to remember, but also extremely vulnerable to attack.”

Top 20 admin passwords according to Outpost24 research

Outpost24’s ongoing monitoring and intelligence gathering identified roughly 1.8 million passwords. “Admin” had more than 40,000 entries, followed by “12345,” “12345678,” “1234” and “Password.”

1. admin
2. 123456
3. 12345678
4. 1234
5. Password
6. 123
7. 12345
8. admin123
9. 123456789
10. adminisp
11. demo
12. root
13. 123123
14. admin@123
15. 123456aA@
16. 01031974
17. Admin@123
18. 111111
19. admin1234
20. admin1

This dovetails with cyberattack research: The Verizon Data Breach Investigations Report, for instance, found that one of the three primary ways attackers access an organization is credential theft (as well as phishing and vulnerability exploitation).

Also, nearly three-quarters (74%) of breaches are due to human error in the way of use of stolen credentials, privilege misuse and social engineering. 

Attackers are increasingly turning to more specialized password-stealing malware (stealers). Once installed — for example, a user clicks on a phony attachment — they sit in the background and collect information about them, such as logins on web browsers, FTP clients, mail clients and wallet files. 

Another way that threat actors steal passwords is through brute-force attack, or trying out different combinations of passwords or passphrases with the hope of eventually guessing the right one — which in the case of the login intelligence collected by OutPost24, wouldn’t be difficult. Furthermore, they practice credential stuffing, or trying passwords obtained from one account on a different one. 

Admins are human beings, too

So, most of us know the risks — why are we still so lazy about passwords?

James noted that it’s not just the user’s fault. Organizations and services need to have the right policies in place and tools that can support good password policies. 

Many systems still rely on old, short passwords — seven to 12 characters — that have been used since before the internet became a way of life. Organizations don’t often offer guidance to users on how to change passwords, so they go with predictable patterns, such as simply swapping out a number at the end when prompted to change their password (face it, we’ve all been guilty of that). 

But shouldn’t admins know better by now?

“Bad admin passwords are important to weed out, but they are just human beings, and like the rest of us will take shortcuts,” said James. 

Practicing good security hygiene

Default passwords should be changed automatically as soon as first used, James said — that should be a company requirement. 

Organizations should also ensure that they have the right policies applying to the right people. Admins should have two accounts: One for their non-admin work (staying on top of email, doing research) and a different password for their admin role. 

“They should be forced to use long, strong, un-breached passwords for these accounts — and unfortunately for the admins I would still recommend changing them on a regular basis,” said James. 

Also, admin accounts should have multi-factor authentication (MFA) enabled wherever possible. Furthermore, if they’re overwhelmed by too many passwords — and remembering them without writing them down or saving them to docs or email, which can introduce even more security issues — admins should consider using a password manager. 

Such a management system should always have a strong passphrase, which is longer than passwords and therefore more difficult for hackers to guess. For example, James said, three random words consisting of 15 characters that hold meaning for the user. 

There’s no need for complexity, James said, and it can be continuously scanned for a breach,” you don’t even need to change it.”

Passwords not going away, so be vigilant

It’s not unusual for many of us to have tens or maybe even hundreds of passwords today and James points out that “it’s beyond most of us to create unique passwords for every system that we log into.”

Beyond avoiding the obvious (stay away from default passwords), James advised using anti-malware tools and perform continuous scanning of login credentials to ensure they haven’t been breached. Scanning can also help determine whether those logins are used on multiple accounts. Another important practice is disabling browser password savings and auto-fill settings. 

Furthermore, pay attention to domain typosquatting (when hackers register domains with purposely misspelled names of common websites), he emphasized, and verify that you have been redirected to correct sites after clicking on ads.

Passwordless and passkeys are emerging methods to bolster cybersecurity, but James said those are still a ways off from being viable, “so until that authentication utopia arrives (don’t hold your breath),” organizations must emphasize best practices and use the tools at their disposal. 

For those who have been diligent about crafting strong, lengthy, complex passwords and are exasperated by Outpost24’s findings, James offers the encouraging, “Keep up the good work!”

At the same time, keep an eye out and “preach to your colleagues around you,” he said. 

Ultimately, “passwords, whether we like them or not, will remain a key part of the authentication process for the foreseeable future,” said James. “As such, it is extremely important that we try to use them correctly as it can only take one compromised credential to expose your entire infrastructure or personal life.”