Check out the worst passwords of 2015 - is yours on the list?

Weak passwords, using the same one for different websites and unsafe surfing habits can make Singaporeans easy targets for cyber criminals looking to steal private data, cyber security experts here say.

Last Monday, a former administrative assistant admitted cracking the passwords of 300 SingPass account holders and selling the details to a China-based syndicate to produce sham Singapore visa applications.

James Sim Guan Liang, 39, made tens of thousands of attempts to guess them when he realised some people used their NRIC number as their SingPass password - which also happened to be their username.

Sim cracked the passwords of 300 SingPass account holders and sold the details to a syndicate.
James Sim Guan Liang cracked the passwords of 300 SingPass account holders and sold the details to a syndicate. ST PHOTO: WONG KWAI CHOW

Such targeted attacks are only possible if people choose a word linked to their personal information, which may include things that they share through social media.

"Sometimes the answers to security questions for resetting passwords can easily be retrieved from an individual's personal data," said Mr Vicky Ray, a threat intelligence analyst from network security firm Palo Alto Networks.

"This could be responses to questions like: Where did one go to school? Such information can easily be retrieved from LinkedIn or Facebook."

  • Five password errors that make it easy for hackers to access users' private information

  • 1. Using personal information that can be found on social media or commonly used words as

    2. Not using complex passwords that include a combination of lowercase letters, uppercase
    letters, digits and symbols.

    3. Using short passwords that are fewer than nine characters in length.

    4. Using one password for multiple websites or accounts.

    5. Not changing passwords regularly.


It is one of the many ways passwords are cracked by dedicated hackers. Another is by using a weak or common password, like one on the "world's worst password" list.

This was published last week by password management firm SplashData, which analysed more than 20 million passwords globally that were leaked over the last year.

The list was topped by "123456", "password" and "qwerty" - the first five letters on the top row of a regular keyboard. New entries on the list, now in its fifth year, include pop culture references like "star wars", "solo", and "princess", following the release of the latest Star Wars movie.

Weak passwords are bypassed with software using a "brute force" approach to guessing them.

"With common, widely available cyber security tools, the average six- character, all-lowercase password takes less than 10 minutes to be cracked," said Mr David Siah, country general manager of security software firm Trend Micro Singapore. "Adding just one capital letter and an asterisk increases the cracking time for an eight-letter password from 2.4 days to 2.1 centuries."

Users may also be tricked into giving up their passwords when they surf the Internet.

"Most stolen passwords are 'lost' through phishing, where the victim is tricked into voluntarily giving up his credentials to a fake website made to look like the real site," said senior research fellow Nick FitzGerald from security software maker ESET Asia Pacific.

But Mr Charles Lim, a senior industry analyst for digital transformation at research firm Frost & Sullivan Asia Pacific, stressed that it is also important for organisations to have strong database security.

Their password database can be hacked into, and the information sold to criminals, he said.

To boost security, passwords should be eight characters or more and include a combination of lower and uppercase letters, digits and symbols. Users should also change passwords often, not use the same password on different sites or use personal information or common words as passwords.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Sunday Times on January 31, 2016, with the headline Check out the worst passwords of 2015 - is yours on the list?. Subscribe