Skip to main content

What’s the worst password of 2011? “password”

password
Image used with permission by copyright holder

This last year has brought an increased emphasis on online security—what with the PlayStation Network breach, seemingly endless stories of services, companies, and governments losing personal data or seeing their systems compromised (Valve, Sony, and RSA all spring to mind), one might think consumers would be more careful with passwords on their email and social networking accounts, mobile devices, and even online banking. According to a report published by SpashData—makers of password management software, that’s not really true. SpashData looked at files containing “millions” of stolen passwords that were posted online by cyberattackers in the last year, and has compiled a list of the 25 most common passwords it found. At the top of the list: “password.”

“Hackers can easily break into many accounts just by repeatedly trying common passwords,” said SplashData CEO Morgan Slain, in a statement. “Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft.”

SpashData’s sample is admittedly biased: its list comprises the 25 most common passwords it found in lists of accounts that had been cracked—meaning accounts with more-secure passwords aren’t even in the sample set. There’s also no indication whether these accounts represent real people or simply accounts created by automation or for testing purposes: there’s no way of knowing whether guessing the password to any one of those accounts would actually have a harmful result. Nonetheless, the results seem to indicate a rather shocking naiveté from everyday Internet users.

According to SplashData, the 25 most common passwords cracked by cyberattackers are:

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

One interesting entry is “passw0rd”—many people think they’re secure from dictionary attacks if they simply change out a letter for a numeral.

Security experts generally recommend a password be at least eight characters long, contain a mix of upper- and lower-case letters, numbers, and allowable punctuation. However, from a usability standpoint, those sorts of “secure” passwords are difficult for users to remember and use—meaning they often wind up on sticky notes next to a monitor or in a file or note labelled “password,” further compromising users’ security.

“If you have a password that is short or common or a word in the dictionary, it’s like leaving your door open for identity thieves,” Slain said.

Another approach is to create rather long passwords from strings of seemingly, unrelated, ordinary words: those passwords are generally easier to type and remember, although they often aren’t accepted by systems that enforce rules about password length or requiring special characters.

xckd-password-strength
Image used with permission by copyright holder

[Comic via the excellent xkcd: http://xkcd.com/936/]

[Image via Shutterstock]

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
This huge password manager exploit may never get fixed
A large monitor displaying a security hacking breach warning.

It’s been a bad few months for password managers -- albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

Read more
Passwords are hard and people are lazy, new report shows
A person using 1Password on a MacBook.

Despite ongoing efforts by security researchers and internet titans to push us to use stronger passwords and two-factor authentication to secure online accounts, people are lazy and continue to make serious mistakes that jeopardize their privacy and security, a new report shows.

A new survey that delves into password selection shows an alarmingly high number of people reuse passwords across multiple accounts. If you are doing this, you should be aware that it only takes one security breach to put all of your accounts at risk. Hackers know that this is a common practice and will try the same stolen passwords at every popular online service in hopes of gaining easy access.

Read more
Online payment fraud has doubled over the past seven years
A person holding a ThinkPad Nano X1 Gen 2 laptop in front of a window.

Online payment fraud increased 137% over the past seven years according to research conducted by SEON, a UK-based fraud prevention service.

SEON based its research on data from the Identity Threat Research Center and used it to identify data compromises that came from online payments.

Read more