For many years, the Hasso Plattner Institute (HPI) has emphasized the necessity of selecting secure passwords to protect against criminal access. However, a look at the top twenty most-used passwords in Germany in 2019 shows that too many Internet users still rely on simple number sequences such as "123456", key combinations such as "qwertz" or words such as "password"—none of which provide effective protection.
Top Twenty German passwords
| 1 | 123456 | 11 | dragon |
| 2 | 123456789 | 12 | iloveyou |
| 3 | 12345678 | 13 | password1 |
| 4 | 1234567 | 14 | monkey |
| 5 | password | 15 | qwertz123 |
| 6 | 111111 | 16 | target123 |
| 7 | 1234567890 | 17 | tinkle |
| 8 | 123123 | 18 | qwertz |
| 9 | 000000 | 19 | 1q2w3e4r |
| 10 | abc123 | 20 | 222222 |
Many users are overburdened
The biggest problem: "Many Internet users already manage more than a hundred online accounts," says Professor Christoph Meinel, Director of the Hasso Plattner Institute (HPI). "Because whether we are booking a trip, shopping or taking a course—we currently require a password for all online services. It's annoying to remember a different password for each service and it puts a strain on many users," adds Meinel.
Everyone needs a password strategy or a password manager these days
The institute director sees that all too often the choice falls on passwords that are easy to remember. In addition, the passwords are used several times for different services. In an emergency, criminals would thus have access to several accounts at once. Meinel’s tip: Nowadays, everyone needs a password strategy or a password manager.
Data basis: 67 million access data
Just as in previous years, HPI is publishing the most frequently used passwords by Germans in 2019. The data are generated by the HPI Identity Leak Checker—the HPI's online security check. This year alone, 67 million passwords have been registered at email addresses with .de domains and were leaked in 2019, i.e. published. This year, 178 of such data leaks were entered into the Identity Leak Checker, 96 of which were confirmed by the service providers.
The Identity Leak Checker
Whether or not you yourself have been a victim of data theft can be checked easily with the Identity Leak Checker. Since 2014, every Internet user can cross-check their email address free of charge at https://sec.hpi.de/ilc by entering his or her e-mail address to see whether identity their data is circulating freely on the Internet and could be misused.
HPI's security researchers make it possible to compare the data with more than 10 billion stolen identity data freely available on the Internet. The focus is on leaks that affect German users, and the service unique in Germany.
A total of more than 14 million users have already used the Identity Leak Checker to check the security of their data over the past five years. In more than 3 million cases, users were informed that their email address was openly accessible on the Internet in connection with other personal data.
The Identity Leak Checker Client
HPI offers the Identity Leak Checker Client to larger companies and organizations for a fee. After registering the company's email domain, the company will regularly receive lists of all email addresses that are affected by a leak in the domain(s).
Tips for password selection
The Hasso-Plattner-Institute therefore recommends the following when choosing a password:
- Long passwords (> 15 characters)
- Use all character classes (upper and lower case letters, numbers, special characters)
- No words from the dictionary
- No reuse of identical or similar passwords for different services
- Use of password managers
- Password change in case of security incidents and in the event that passwords that do not meet the rules above
- Activation of two-factor authentication whenever possible
Click here for the press release.
