The worst online passwords: Did you make the list?

From your email account to your iPhone, it seems that everything requires a password nowadays. With the dozens (or hundreds!) of passwords that everyone is supposed to remember, it’s only natural that many people will take the lazy way out and pick an easy to remember password like, well password!

It turns out that “password” was indeed the most commonly used password on the internet according to a report compiled by SplashData and posted by PC World. The company created the list by examining password dumps posted online by crackers, some from very notable attacks.

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

So what makes a secure password? Well, it should be a minimum of eight characters and should contain a mixture of upper and lower case letters, numbers, and symbols. The more characters, the harder it will be to break. You should also avoid using the same password on more than one site, although you can probably reuse passwords for websites that contain no personal information and that you don’t care about being compromised. Another tip is instead of using words, pick a phrase or song lyric and base your password on that. If you're a Dream Theater fan, for example, maybe you could use "pmu!IamNOTa" for "Pull me under, I am not afraid."

Another security concern to take into consideration is the fact that some installations of Windows store your password insecurely. This is because older versions of Windows use what is called a LAN Manager Hash, or LMHash for short, and this is an easy hash to break. You could have an ultra-secure 14-character password, but if Windows is not configured to ignore the LMHash it will be stored as two individual seven-character passwords in the system, making a break-in extremely easy. If you’re really paranoid, create a 15-character password because that will always avoid the LMHash vulnerability.

So how do you keep all of these passwords safe? While some may recommend an online password manager, by doing so you’re trusting that nobody on the Internet will be able to intercept your keys. Instead, rely on a desktop solution like TrueCrypt or Password Safe for your security needs.

It’s interesting to note that even a password that appears secure on the surface, such as “qazwsx” is not safe because cracking tools use keyboard patterns in their dictionary as well.

Image Courtesy of Twitip.com

Poll

Have you ever used one of these passwords?

Report a problem with article
Previous Story

Nintendo on DLC: games should be "a complete experience"

Next Story

AT&T raises iPhone 3GS price to $0.99

80 Comments

Commenting is disabled on this article.

xpclient said,
Those 10% who click "Yes" must be having a very low IQ. They should give up computing and stop coming to Neowin.

The question does say "ever." I'll fully admit that I used one of them in the past. Granted it was in the BBS days in the 80s when I was a kid, but I've used one.

wx4VStaC8eOMYOurLpqt6Y6FOL6Froz20uLeDPk20XirpcfPJ0EOXNMobQR46lI6TSvxD69JSMABhAsTeDMxEULbEIq8aTjt5CDC

^My usual type of password, but can vary ^

A lot of people here seem to comment only to tell everyone how secure their passwords are..

Also, I'm amazed there hasn't been a single reference to hunter2 so far...

Yea, that site is not to accurate. It may only being 1 type of algorythm its using to brute force passwords. Rainbow Tables will crack through a good deal of passwords very fast.

ShiFteDReaLitY said,
Just doing some random passwords on http://howsecureismypassword.net/ apparently the password abcdefghijklmnopqrstuvwxyz is pretty secure..not sure if just because its long password or what but just found it funny... and my lowest password to hack according to that site is 768 years

"i can't remember" would take 35 billion years to hack.

President Skroob: [enters after the interrogation of King Roland] "Well? Did it work? Where's the king?"
Dark Helmet: "It worked, sir. We have the combination."
President Skroob: "Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?"
Dark Helmet: "1 2 3 4 5."
President Skroob: "1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!"
Dark Helmet: "Yes, sir!"
President Skroob: "And change the combination on my luggage!"

tuckeratlarge said,
I was asked, at work, recently for a password with eight characters.

So I chose "Snow White and the Seven Dwarfs"

Ha, funny!
But you forgot the evil witch and the prince!

I use the same password at every site with a simple variation of the last letter(s) or number(s) being different according to what site I'm on.

Nothing I'm really TO worried about anyway. I guess if the site that get's hacked gives up my password, it must not have been a very secure site anyway. Actually just had that happen a few months ago when dslreports.com got passwords hacked. Had to change my password there then. First time ever!!

Nope,
My password isn't on that list either and I've NEVER used a single one of those. Don't know anyone who has either.

I have used welcome before when setting up profiles.

I also use password1 when I am signing up to a site I don't really want a long membership to.

My passwords now? Some are very simple, some not so but according to howsecureismypassword.net it would take 600 years to hack my most secure, but just my least secure says "Common Password: In The Top 3,600 Most Used Passwords. Your password is very commonly used. It would be hacked almost instantly.". Meh.

Mr Spoon said,
I have used welcome before when setting up profiles.

I also use password1 when I am signing up to a site I don't really want a long membership to.
My passwords now? Some are very simple, some not so but according to howsecureismypassword.net it would take 600 years to hack my most secure, but just my least secure says "Common Password: In The Top 3,600 Most Used Passwords. Your password is very commonly used. It would be hacked almost instantly.". Meh.

just 600yrs try this

It would take a desktop PC
About 5 million years
to hack your password

same Pword I use everywhere I go

All 3 passwords Ive used in the past are pretty easy common english things. Paypal forces actually to use a strong password and on Paypal I have a variation of one of those 3 using a capital letter, a number and a symbol inbetween the password. Example if my easy password was "google" (it isnt, I invite you to try) my Paypal is something like

"gOoGl9!e"

I consider it moronic (unless it is top secert or governmental) to use a 16 alpha-numeric character long consisting of upper/lower case, numbers and symbols. It is hard to remember and nothing that you have is that important.

I'm surprised "trustno1" made it, I have seen it once before as a wifi password but didn't think it was an obvious password or I would have changed it

I have always used spanish words and spanish names for passwords. And they are not words like...."hola" or "gracias".

They are usually spanish words that are said in a casual conversation...but....not said a lot during the conversation.

texasghost said,
I have always used spanish words and spanish names for passwords. And they are not words like...."hola" or "gracias".

They are usually spanish words that are said in a casual conversation...but....not said a lot during the conversation.


That's actually not a good password either. Many password cracking tools use dictionaries to brute force the password -- and it's not limited to just English dictionaries. French, Spanish, even Klingon and medical dictionaries are widely available to plug into the programs.

Fezmid said,

That's actually not a good password either. Many password cracking tools use dictionaries to brute force the password -- and it's not limited to just English dictionaries. French, Spanish, even Klingon and medical dictionaries are widely available to plug into the programs.

Again...not every day spanish words I use for passwords. And personally...if they want to go through a lot of work and trial and error to find my spanish passwords...I will shake their hand and congratulate them.

texasghost said,

Again...not every day spanish words I use for passwords. And personally...if they want to go through a lot of work and trial and error to find my spanish passwords...I will shake their hand and congratulate them.

With brute-force, he meant a program. The human trying one word after another can take ages, but the program will do that in a few min.

Well my Neowin password is basically not going to be broke.

sometimes ill use less secure passwords but usually on sites i don't care THAT much about to begin with. but pretty much anything i care about ill usually use something super secure (random generated with 'password safe') or some other passwords i been using a while that are basically secure even if not super high secure.

Zappa859 said,
Great song pick in the article for the password.
<3 Dream Theater.
Going to listen to it now.

Lol yeah awesome DT reference.

Pajter said,

Lol yeah awesome DT reference.


Glad you guys liked it - I've been a HUGE fan since 'I&W first came out, and LOVE Scenes.

I have a two column list of site and its associated password. Yes, it may not be very secure; but I live alone, so there is no one else mucking around on or about my computer.

TsarNikky said,
I have a two column list of site and its associated password. Yes, it may not be very secure; but I live alone, so there is no one else mucking around on or about my computer.

*unless* a virus sneaks itself onto your computer and downloads that file O.O

Come on, everyone must have had 'password' at some point.

I used to use it as my Keepass Safe password until it came to my attention that wasn't very safe.

I have an evolving password, from time to time it gets longer and it's composed from all kinds of symbols, I don't know to dictate the password or to write it down with one hand ) I need two hands to make it work, it is painfully to login on a phone )

Season said,
I have an evolving password, from time to time it gets longer and it's composed from all kinds of symbols, I don't know to dictate the password or to write it down with one hand ) I need two hands to make it work, it is painfully to login on a phone )

Same wit me...gotta hate horrible phone keyboards

Don't bull**** me, the three most commonly used passwords are love, secret, and sex, although not in that order.

Oh, and don't forget God. System administrators love to use God, it's the whole male ego thing.

The Teej said,
Don't bull**** me, the three most commonly used passwords are love, secret, and sex, although not in that order.

Oh, and don't forget God. System administrators love to use God, it's the whole male ego thing.

Our sysadmins at school always used movie stuff. We managed to find most of the passwords they used Titanic was the last I remember, but they also had Clooney and Kidman...

The Teej said,
Don't bull**** me, the three most commonly used passwords are love, secret, and sex, although not in that order.

Oh, and don't forget God. System administrators love to use God, it's the whole male ego thing.

Used to be the best Hacker Movie when it was out, huh?

It was really funny when I rewatch recently.

All my passwords are long (15 characters+), different for each and every website/application, have mixed case, symbols and numbers. Hell yeah security. AND I'd never give any of my passwords to anyone. Ever. Ever.

Shadrack said,
yup. dragon was my password back in my BBS days and my "friend" at the time hacked it.

I know someone who uses dragon as password.
Even worse is that her email address and login name includes "dragon" too!
And she doesn't want to change it because it's easy to remember. Sigh...

littleneutrino said,
Nope did not make the list at all Mine are generated by a custom algorithm that i wrote in collage

And you remember the password how then?

htcz said,

And you remember the password how then?

I made my first secure password with a password generator. (It was my website before that). I typed it every day for one month or so, and now it's my LastPass main password, where I keep all my random generated passwords.

I think I will change it soon anyways.

littleneutrino said,
Nope did not make the list at all Mine are generated by a custom algorithm that i wrote in collage

Pretty much the same here.
Each site has a different password worked out via a pretty unbreakable system.

MidnightDevil said,
A secure password would be something like this;

ThisIsMyPa$$w0rd!Im28Yy3ars0ld!AHAROTFLMÃO!


As someone stated somewhere in the comments, the bigger problem is the password reuse, not having a strong password in general.

Used all ones before when creating temp test accounts at work. They are just normal accounts that are deleted right after use.

24. michael ?

Thats a bit random isn't it ? lol

I would have been caught when I was young and daft, using password, thinking I was the first to think of it

Detection said,
24. michael ?

Thats a bit random isn't it ? lol

I would have been caught when I was young and daft, using password, thinking I was the first to think of it

Yea, that caught me too. Must be a lot of admins out there with the name Michael. Maybe there is a stat on top names of IT people out there.

I'm surprised I don't see KeePass on the list of desktop solutions. TrueCrypt is very good, but's an overkill for just keeping passwords encrypted. Anyway, doesn't matter how strong a password is - indeed, the major problem these days is password re-use. With the hundreds of accounts people maintain they're doomed to re-use passwords. It's enough for a single site to get cracked and you become susceptible to having all your accounts where you used the same password hacked.

Damn. Never crossed my mind around 20 of them...

Anyways I would recommend also writing full sentences, or the start of the sentences, plus the abbreviations the page recommended.

Furthermore, thanks for the list, I think I'll be barging into my friends account this night

panacea said,
I just changed my neowin password.
Over last 10 years it was QWERTY.

And I thought I was really clever back in 2001 when I came up with it.

atleast you did not use "trustno1"

like who are these guys !! haha

SteelToast said,
why is it that monkey always makes it up on that list

Well, it's funny. But definitely not secure.

SteelToast said,
why is it that monkey always makes it up on that list

wheres..

love
sex
and...
GOD

im supprised P@ssw0rd isnt on the list. i guess not many people use the @ sign

shiny_red_cobra said,


You forgot "secret" lol

I have a friend who told me that her password is "remember" because she always forgot the other ones. True Story.