Skip to main content

What’s the worst password of 2011? “password”

password
Image used with permission by copyright holder

This last year has brought an increased emphasis on online security—what with the PlayStation Network breach, seemingly endless stories of services, companies, and governments losing personal data or seeing their systems compromised (Valve, Sony, and RSA all spring to mind), one might think consumers would be more careful with passwords on their email and social networking accounts, mobile devices, and even online banking. According to a report published by SpashData—makers of password management software, that’s not really true. SpashData looked at files containing “millions” of stolen passwords that were posted online by cyberattackers in the last year, and has compiled a list of the 25 most common passwords it found. At the top of the list: “password.”

“Hackers can easily break into many accounts just by repeatedly trying common passwords,” said SplashData CEO Morgan Slain, in a statement. “Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft.”

SpashData’s sample is admittedly biased: its list comprises the 25 most common passwords it found in lists of accounts that had been cracked—meaning accounts with more-secure passwords aren’t even in the sample set. There’s also no indication whether these accounts represent real people or simply accounts created by automation or for testing purposes: there’s no way of knowing whether guessing the password to any one of those accounts would actually have a harmful result. Nonetheless, the results seem to indicate a rather shocking naiveté from everyday Internet users.

According to SplashData, the 25 most common passwords cracked by cyberattackers are:

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

One interesting entry is “passw0rd”—many people think they’re secure from dictionary attacks if they simply change out a letter for a numeral.

Security experts generally recommend a password be at least eight characters long, contain a mix of upper- and lower-case letters, numbers, and allowable punctuation. However, from a usability standpoint, those sorts of “secure” passwords are difficult for users to remember and use—meaning they often wind up on sticky notes next to a monitor or in a file or note labelled “password,” further compromising users’ security.

“If you have a password that is short or common or a word in the dictionary, it’s like leaving your door open for identity thieves,” Slain said.

Another approach is to create rather long passwords from strings of seemingly, unrelated, ordinary words: those passwords are generally easier to type and remember, although they often aren’t accepted by systems that enforce rules about password length or requiring special characters.

xckd-password-strength
Image used with permission by copyright holder

[Comic via the excellent xkcd: http://xkcd.com/936/]

[Image via Shutterstock]

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Oh great, now our Twitter data is for sale on the dark web
A stylized composite of the Twitter logo.

In case you haven't been closely following in-depth hacker news feeds (and we don't blame you if you haven't), you may have missed an announcement in January from HackerOne detailing a security vulnerability in the Twitter code. The vulnerability let hackers steal phone numbers and emails of users.

Well, a list of millions of Twitter users just showed up for sale on the dark web.

Read more
Protect your accounts with 1Password — 50% off today
A group of people sitting at a desk looking at 1Password displayed on a screen.

Right now, you can save 50% off 1Password for ether you or your family. The single account plan costs just $1.50 per month billed annually and offers unlimited passwords, items, and 1GB of document storage. Alternatively, you can sign up to the 1Password Families plan for $2.50 per month and share the features with up to five family members. Here's why it's so important that you sign up to 1Password.

1Password is one of the best password managers out there but you may be wondering why you even need it. A password manager means that the app keeps track of all your logins, passwords, credit card details, and a bunch of other details about your identity right down to secure notes, so you don't have to worry about remembering everything yourself. Without a password manager, it's tempting to reuse passwords across multiple accounts and that's the worst thing you can do when trying to keep your data secure. Once a nefarious source gains your password, they can access so much more about you than if you have unique passwords for everything.

Read more
Big tech firms are teaming up to banish passwords for good
Silhouette of male hand typing on laptop keyboard at night.

For a lot of us, password security is the ultimate case of procrastination: We know we need to use stronger, unique passwords, yet all too often we end up booting the problem as a job for another day. Instead of trying to convince us for the 1,000th time that “123456” is not a safe password, Apple, Google and Microsoft have decided to try something different.

Today, the three tech giants have announced plans to work on a common sign-in standard created by the FIDO Alliance and World Wide Web Consortium. If all goes according to plan, the new system could do away with passwords entirely, allowing you to sign in to apps and websites in a more convenient way.

Read more