Top 500 worst passwords


107 Responses to “Top 500 worst passwords”

  1. TEKNA2007 says:


    rush2112 FTW!

    AAPOTSF – Attention all planets of the Solar Federation!


  2. Craigger1 says:

    I’m thinking that some government agency needs to be monitoring what some of these people are doing on the Internet!

  3. misshallelujah says:

    I’m going to have to second the question:

    Why “abgrtyu”?

    It’s pretty much the only one on the entire list for which I can’t fathom the use of, much less the easy guessing of…

  4. Anonymous says:

    the best password is virus so that when hackers are hacking and the password displays to them they read Virus and they will be like we got an error and they keep trying lol :p

  5. Anonymous says:


  6. Anonymous says:

    I’ve always gone by Clifford Stoll’s (author of “The Cuckoo’s Egg”) idea for passwords: two or three short words along with a number.

    It’s easy to remember and hard to crack, especially if you use words in languages other than English and in different orders.

    Examplea: oui62bub, tadquoi99, icktern153

    Any password can be broken in time by brute force (testing all possible alphanumeric passwords one by one) so these are as secure as any.

  7. Anonymous says:

    I tend to use an 11 letter password, exchanging I’s for ones, and O’s with zero, which gives me a medium secure result. However, for real security, gibberish is best, or special characters like €…¼¥vP-kï·8â›ú£d+ËÖ™|¹¤ÙTâ¢).

  8. Uncle_Max says:

    @38 bcsizemo: “I want to know how many people under 25 even have a clue as to what THX1138 even is? Hell I could ask most people over 30 and I bet less than 20% would have a clue.”

    I’d say it’s more than you’d think, since as Lucas’ first feature-length movie anybody who is into film/geekdom will have at least heard of it at some point. Whether or not they’ve seen it is a different story. You might have better luck using “THX-1138 4EB” as a password though, or any of the random character names.

  9. notKeith says:

    I create excellent hard-to-break passwords by using alt+keypad combinations on my stoopid windoes computer:

    alt+0222 is Þ
    alt+0241 is ñ
    alt+0153 is â„¢
    alt+0169 is ©

    You g¡t thé drift…

  10. Peter says:

    Surprised ‘swordfish’ isn’t on the list.

  11. RedShirt77 says:

    I always thought the worst one was the one taped to my screen

  12. jeremedia says:

    This is the third time I’ve seen a link to this list, yet I’ve never seen the actual list due to the site being destroyed by the incoming traffic.

  13. GeekMan says:

    “So the password is: ’12345′?

    That’s the stupidest password I’ve ever heard! That’s the kind of thing an idiot puts on his luggage!”

    At least essential one thing I need to know for IT, I learned from SpaceBalls.

  14. classic01 says:

    In my experience in average the most repetitive passwords are “test”, “temp”, “asdf” Also there were quite a few passwords that had some simple name with “123″ after.

    As a Microsoft security expert once suggested. The best passwords (when the field allows it) are made of a simple and long phrase. It is easy to remember and impossible to guess.

  15. lpetrazickis says:

    I think “abgrtyu” is a plagiarism preventer, to be able to tell when another site has stolen the list. Similarly, dictionary publishers like to add a fake word to each edition of their dictionary to make sure no one’s stealing content.

  16. Zan says:

    Why is “0″ on the list twice?

  17. Midtownhipster says:

    Two of my friends have these bike locks which require you to set the combo on purchase. If you don’t set it it’s 0000. And yes that is their combination because they didn’t bother to read the directions.

  18. Anonymous says:

    I’m not techy at all, but I have used those weird alphanumeric codes that you must decipher when getting a new email addy. I also use only the first letter of a foreign language phrase with a few numbers that mean something to me, thus easy to remember. They show as “strong”. I don’t live in California, but I love their license plate numbers.

  19. Dewi Morgan says:

    #89: It’s a common myth that these forms of obfuscation are worthwhile. However, p4s5W0rD has only about 16 bits more potential randomness than the unmunged word “password”: one bit per letter for the number substitutions, and one bit per letter for the capitals. Most cracking scripts are well aware of number substitution and case shifting, so neither adds anything significant to the password. Adding three additional characters would be easier to remember and to type, and harder to crack: passwordskx, for example.

    However, as has already been said, it is all relative. 16 bits more protection is 16 bits, and if you’re not protecting something important enough to tunnel encryptedly over the wifi, and use a full passphrase, then sure, messing with case and kiboizing the text will add some small layer of protection.

  20. Anonymous says:

    It’s about time someone threw that Hacker quote in there. First thing I thought of…

  21. Anonymous says:

    BEAT that password (and yes i use the quotations also) :-P

  22. Anonymous says:

    I hate to ask this, but how in the heck would the author know these are the top 500?

  23. Anonymous says:

    Secure passwords are easy if you simply take your favorite lyrics or sayings and use the first letter of each word.

    They can be really long and then throw in the name of the site or group you are working in so the bots don’t guess it.

    GMAIL PASSWORD = bjinmlsjagwctiatoggmail

    “Billie jean is not my lover
    Shes just a girl who claims that I am the one”

    Easy to remember and HARD to crack

  24. Anonymous says:

    i find the most secure passwords are just an easy to remember word written in 1337. alternate caps and numbers. “p4s5W0rD” is alot more secure than “password”.

  25. Benth says:

    “abgrtyu”: Watch what your fingers do when you type it. Only explanation I can think of.

  26. Sunfell says:

    My firewall warned me that this site tried to access ‘’, which is apparently a malware site. Fortunately, the firewall blocked it.

    :pats firewall software:

  27. Anonymous says:

    To #37 #19 and #6 regarding the appearance of two zeros in the list. Best explanation I saw on this was spreadsheet truncation. Depending on your settings any length of string consisting of only zeros stands to be truncated into a single zero. Not sure if it was truncated in the original or in the process of moving. But it seemed like a good reason and though I would virus it on over.


  28. batu b says:

    the best password generator I’ve heard of is the acronym for a simple phrase, which generates nonsense, but is easy to remember. such as
    “this password is nonsense but is easy to remember”
    provides the password

  29. Dante says:

    Casper? Hmmm. These passwords sounds like beatnik poetry where read aloud from left to right. I suspect a coupla band name’ll arise from this list.

  30. Anonymous says:

    I can’t believe bootylicious didn’t mAke the list!!

  31. SednaBoo says:

    Ok, so is this a list of the most common passwords? Is that what makes them the “worst?” I’d like to know the criteria. I am assuming that being published in a big list on BB is one.

  32. edwardsch says:

    For those of you finding that the site is down, this appears to be a mirror:

    I see no credit to the original site at the moment though. It would seem fair to me if the author of the post mentioned the original source.

    As far as the list goes, I really thought ‘admin’ would be on it. admin/admin is a default setting for the administrative interface for ALL the Wlan router types I set up so far (mind you, that’s not a big number, but still).

  33. Purly says:

    What’s so funny is that I’ve known people who used these passwords. Basically, the same people that will tell you their password if you ask!

  34. Tarantio says:


    Google and wikipedia seem to think that this is the name of an electric mandolin player. He appears to be prominent in India, but he’s played all over the world, and with western musicians.

    I just can’t figure out why he would be on this list. I’d never heard of him before, nor had my mother. It doesn’t seem he was ever particularly popular in the west. There don’t seem to be any other indications of non-American culture or language on the entire list.

    It seems unlikely that this snippet of Indian culture would filter through alone. Is there some reason that this particular artist would make the list? Perhaps an unusual popularity among IT professionals, or some famous other association for the name with which I’m unfamiliar?

    Or did the just try to filter out all of the foreign language passwords, and miss one?

  35. rundgren says:

    rush2112 FTW!

  36. Soon Lee says:


    Is it the QWERTY analogue from a non-QWERTY keyboard layout?

  37. Anonymous says:

    How does the author know which passwords are the most popular?


    When I was a mainframe applications developer, all systems went into production with some test passwords still in the code. By accident, of course. If you’re ever stuck in a CICS screen* & can’t get through, you might get lucky with ’9999′. It’s worth a try.

    *Now about as likely as needing the carburetor on your car adjusted.

  39. Anonymous says:

    What surprises me is that ‘foobar’ is not on the list.

  40. Spherical Time says:

    Anyone have any idea how “abgrtyu” made it on to the list, or what it stands for?

    Google thinks that it should be “abg rtyu” and suggests that “abg” means “accidental boob/bum graze/grab” but had no similar suggests for rtyu.

    This is bothering me. If anyone knows, I’d be grateful for resolution.

  41. Tweeker says:

    Yes, I too am surprised about the lack of any default passwords on the list.

    I am going to guess admin before I guess blowjob.

  42. LieutenantLefse says:

    What, no reindeerflotilla?

  43. Anonymous says:

    Bark bark

  44. Adam Fields says:

    I refuse to believe that “password” is not #1. This gross error casts doubt on the entire list.

  45. aelfscine says:


    Doesn’t strike me as nearly as common as something like ‘admin’ or the others.

    Was there some movie with Evil Archvillain Chester or something that I missed?

  46. Anonymous says:

    I always liked passwords that use phrases you know by heart but aren’t obvious. Even if they see you type bbroygbvgw they aren’t going to be able to remember it long enough to write it down unless they are old electricians.

    Another way to do it: pick some song lyrics, throw in a symbol and another string and you have an amazingly secure password: aobtd^egbdf (Hint, the first one is popular queen lyrics, the second you should know, and may actually be too common to use)

  47. Maneki Nico says:

    Ha! Dig the shout-out to Tommy Tutone at #371. That damn song is forever stuck in my head for having listened to a girlfriend’s brother’s band rehearsing it in her basement one looong summer.

    “I got it (I got it), I got it…”

  48. Anonymous says:

    abgrtyu – think about it!

    Try typing it with one hand, first comes the A, and then you lift your hand off the keyboard and go to the B, After the B you simply drag your finger across the rest of the letters GRTYU.

    In case you dont get it, its easy because after the A, every letter is next to each other on the keyboard.

    A BGRTYU see?

  49. nanuq says:

    There are hacking programs that try out multiple passwords to see which one works. The best ones have specialized dictionaries and use different letter and number combinations. Over time, these programs are supposedly able to crack half of all passwords except for the most difficult ones.

  50. Master Gracey says:

    Make that Top 499 worst passwords

    Number 358 and 365 are the same “0″

    Also, I doubt any program that requires a password would accept “0″, a single character password.

    Maybe we could replace one of the “0″s with a password that is one of the few things Richard M. Stallman and I have in common – a preference to use the “enter” key as our non-password password.

    That is arguably the worst password, and I didn’t see it on the list, though the word “enter” is listed…

  51. Master Gracey says:

    Thraxamer said:

    Given the font on this page (Garamond?), I think one of those “o” passwords is actually a zero (0).

    The linked-to page HTML source shows this as the number zero, listed twice. I grabbed the list, shoved it into a spreadsheet and sorted the results, and it came up as two identical digits, the number zero.

    Conclusive, no, but indicative of a typo/repeated password at the least…

  52. bcsizemo says:

    I want to know how many people under 25 even have a clue as to what THX1138 even is? Hell I could ask most people over 30 and I bet less than 20% would have a clue.

    And I agree about god. I thought for a min that the list was at least 4 characters long, that was until I saw o twice….

    Frankly if you are techy you probably either have a decently secure password, or something stupid as like ZOMG!…or N00B or WTFBBQSauce!!!1111


  53. Agent 86 says:

    How about “Top 500 worst English passwords”?

    I find that using 2-3 simple words in multiple other languages makes for a fine password.

  54. Drhaggis says:

    Everyone should send in their passwords so they can compile the list of Best passwords.

  55. Anonymous says:

    Go to

    Gibson Research has a several random password generators. There is a 63 random alpha-numeric character (a-z, A-Z, 0-9) unique password generator
    which you can use part or all of.

  56. John Miles says:

    I once hacked the cc:Mail system at a, um, well, a large tech company in Austin. The most common password — one of the few that showed up more than once — was “JESUS”.

  57. IamInnocent says:

    This list can actually be used to dress the most psychological profile of those common users. Lots and lots of sexual frustration I see…

  58. jwz says:

    These might be the most popular passwords, but none of them are any worse than another. Any password that is present on the common password lists is equally bad, because cracking software doesn’t get bored and give up at number twelve, it tries them all. The least common English word in the dictionary is exactly as bad as the first password on this list.

  59. Anonymous says:

    We ran a scan once of about 100,000 e-mail addresses in our system and found a huge proportion had either the numbers “007″ or “69″ in them. A lot of guys either horny or harbor James Bond fantasies or both.

  60. Anonymous says:

    Comment from the site about the double 0 issue:

    “On the comment that the number zero shows up twice, I would have to bet that is a formatting issue. With most spreadsheets, “000″ or “0000000″ would be converted to “0″ by default. So if this had been stuck into a spreadsheet that was not formatted as “text,” this conversion would have taken place automatically.”

  61. Anonymous says:

    What, no KNOCKERS?

  62. Ernunnos says:

    No CPE1704TKS? Not enough geeks being polled.

  63. Thraxamer says:


    Given the font on this page (Garamond?), I think one of those “o” passwords is actually a zero (0).

    That’s just my guess. Maybe the font on the actual site or its mirror makes it easier to parse.

  64. ravenword says:

    I like to use foreign phrases re-spelled into nonsense English. For example, “s’il vous plait” becomes “SeaVooPlay,” or “SillVousePlate,” or something like that. Add a few numbers if required. (S33VooPlay…) and, at least according to Google’s password strength checker, they tend to be pretty good.

  65. Anonymous says:

    I had to explain to someone that just because the screen showed ******** – that was not a suggestion for her password ;)

  66. jungletek says:

    #61: Nice perspective, and sound logic.

  67. avraamov says:

    someone who’s online banking was never compromised:

  68. wynneth says:

    This list is pisspoor for not including the obvious “god” and “zeus”. I can attest to how popular these were among high school systems administrators and public librarians during the mid 90s!!!

  69. Anonymous says:

    The last place I worked, the new IT manager objected (rightly) to the use of ‘god’ on various systems. He asked me to go and change them all, which I did. When he asked me what the new password was, I told him: ‘deity’.

  70. Anonymous says:

    Simply, and brilliantly :


    No one can dig that out!

  71. Anonymous says:

    what would be top passwords for a mac with the hint being “woof woof” ?

  72. Evil Jim says:

    I figured you can increase your security at the actual keyboard while entering a password by incorporating a “mistake” or two & using the backspace key. However, a very attentive onlooker might notice this as well.

  73. skeeto says:

    The strength of your password depends on how the password is going to be used and what kind of access and attacker has to the system. You just need your password to be stronger than the weakest link in the system so that it isn’t the weakest link. For example, for your car, your windows are the weakest link, so upgrading your car’s locking mechanisms will not gain you anything in terms of security. The attacker won’t bother with your password, but go for whatever else is weaker (i.e. smashing the window). Strong passwords tend to take longer to type and are easier to forget, so you want it to be just strong enough, but not too strong. You don’t want to spend an hour typing in your super-strong password (let alone memorizing something like that!). Also, if you make them too strong they become weak because you will write them down.

    (There would also be no point in making them longer/stronger than the hash function that the system ultimately runs them through. Also, by “strong” here, I mean “hard to brute force”.)

    If the password is simply providing access to the system at a single terminal, like your home computer, most of the passwords on this list would probably do. It is to keep your friends from playing pranks on you, or to keep your children away from your porn collection (or whatever else you collect, you perv). “Locks keep out only the honest,” they say. Your hardware is sitting right there, and therefore an attacker has physical access to the machine. He can bypass the software that checks the password using that physical access (directly modifying the hard drive, using a live CD, etc).

    If your home computer is locked up in a closet, you still don’t even need a very strong password, because your software can limit the amount and frequency of attempts. The attacker could be limited to, say, 10 guesses before locking them out. The closet door will already be the weak security link. In fact, it would probably be much easier to kick it in or pick the lock (and picking most locks is actually very trivial!) than guess a bunch of passwords.

    Then there are systems where your password is sent in plaintext, like telnet logins and most websites (including BoingBoing). If you ever use these services at the coffee shop on their wireless connection, you just broadcasted your password to everyone in the area. Strong or weak, your password doesn’t matter once you did that.

    As a side note, with systems accessible from the Internet, someone controlling a botnet could potentially make many guesses at your password because it would appear to be many different people each making a few attempts rather than a single person making many: harder to stop. This is why these days they say you should go passwordless when using ssh, using the generated keys instead (I don’t do this … yet). However, even with a botnet, the attempts would be much fewer than someone brute forcing your encryption, leading to …

    When it comes to encryption you need to start having strong passwords, or even passphrases (depends on who you want to keep out). This is where an attacker will be able to make many billions of brute force attempts at his leisure, which he can’t do when guessing your webmail password. He could even have a bunch of computers work at the problem. The faster he wants to crack it, the more computers he will need and the more expensive it gets. This is why (plain) DES has been depreciated, because someone can crack any DES encrypted message with around $10k of hardware.

    Most passwords won’t do in this situation because you need something very hard to guess. It needs to stand up to all that guessing. Of course, you can go overboard here too. Having an entire paragraph as your passphrase (a passparagraph?) would be overkill if you don’t have a major military guarding your computer hardware and home. It would become so expensive to brute force that it would simply be cheaper to break into your home and install a keylogger (now the weak link). Or they be less subtle and get out the rubber hoses or throw you in jail (like the UK does when you won’t give them your encryption keys).

    Anyway, if you are still with me, my favorite way to generate passwords and passphrases is with Diceware. All you need is some six-sided dice, so break out your Monopoly board. Independent of the computer, it makes easy-to-remember passwords of adjustable and measurable strength that are also very easy to type: they are just words. I usually just use them as a lowercase series of words: 2 for a password, 5-10 for a passphrase. Unfortunately, many systems will incorrectly tell you (there are lots of crappy programmers out there, and they all mess up e-mail validation too) these are bad passwords and not let you use them, so you might have to spunk them up with some capitals and odd characters to please their idiot circuits.

  74. Gemma says:

    I assume that sexsex comes from sex being rejected as too short a password. Hmmm. What could I use instead?

  75. ciscogrant says:

    To create a strong password just combine 2-3 of these “bad” passwords together horizontally…Hilarity will ensue!

    For example:

    crystal nipple scorpion
    nicole bigdick
    pussy diamond
    muffin cooper
    pass iceman porno
    suckit danielle

    See what I mean? Good luck hackers!

  76. Bitgod says:

    Oh good, I was smart and added 123 after asd, I guess I’m safe. That was for an old website though. On the downside, the password for the eWallet on my phone is on that list. Guess I should rethink it, I just didn’t want to type in a complicated password on the phone. At least it’s not in the top 200. :)

  77. genes says:

    omg two of my passwords are on that list :D

  78. Jonnan says:

    Just because this may be useful to people – the best password ‘manager’ I’ve come across for the web is the (Website, downloadable java package, and firefox plugin, all do the same thing.) which hashes a master password with the sitename.url for a given website for a non-random but non-guessable password.

    You do need to remember four things to use it on different systems – your master password, the hash system (MD5, SHA-1, etc), password length, and list of legal characters (alpha, alphanumeric, alphanumeric+symbolic, etcetera).

    But with those four things you can reproduce your password for any website from the plugin, the website, or the java download, and if one particular website, credit card company, et al get’s hacked you haven’t had *every* website you use compromised.

  79. Dewi Morgan says:

    The site is no longer down, so the full list could be removed.

    I’m glad to see nobody advocating case sensitivity in passwords here. For the extra bit of information it adds per letter (actually, usually an extra bit per password, since people generally capitalise only the first letter), it gives a huge feeling of false security, and causes a great number of helpdesk calls by people with the caps lock key enabled.

    No password or system which relies on the state of the shift key for security is secure.

    I suspect this list is culled from a specific company or collection of them, and so has a bias to the region: hence why an Indian artist gets in, and admin and changeme don’t.

    Me, to a friend in the US: “I’ve got the worst possible password for my account. You get one guess.”

    Friend: “changeme”

    Me: “bingo”.

    We had not previously discussed password security. I’d be surprised to see that password missing from any true, non-regionalised list of bad passwords.

  80. Anonymous says:

    asdfgh?? hahahah qwerty… haha again.. quite a lazy password setter!!!

  81. Anonymous says:

    Gilbert Anonymous here:

    It’s sad that so little imagination is apparent.knows augusta

  82. TotalForge says:

    There’s a very good password generator built into Mac OS X, Password Assistant. In System Preferences, click Accounts, then Change Password. You won’t change your password, just borrow the password generator.

    Click the key icon. Now, click Cancel in the change password sheet. Your account password is unchanged, and the Assistant stays on screen.

    Now you can pick different password types from the Type popup, pick one from the Suggestions list, or type one in and look at the Quality indicator to see if your entry is secure enough. Password Assistant will give you the tough love you need.

    If you need help remembering your secure password, don’t use Stickies. Launch Keychain Access. Choose File menu/New Secure Note, and store your password. Your login password will unlock the note if you need to see it.

  83. Bryan Price says:

    Yeah, my default password, and my other passwords aren’t on the list! It’s probably 501 though.

  84. djdocremixed says:

    I was happy to see that “letmein” is still in style…Ah, the happy days of Novell…

    I remember spending most of high school running around to different classrooms using that backdoor to help teachers who forgot their passwords.

  85. Anonymous says:

    This is just for a laugh, you may find some more funny combinations than I did. Have you tried to build whole sentences out of the bad passwords? Look at line 34 or line 58 – is it a hint of Tiger Woods passwords? :)

  86. mahaman55 says:

    Lol i like # 144. (Trying to hack password)”What is it, qwerty, no, 123456, no, wait i got it, gandalf, yes it worked”

  87. Anonymous says:

    I like reading them horizontally. It’s “london hotdog time” for the “maverick penis”

  88. tw15 says:

    There was a hackers handbook in the 1980s by a chap who’d hacked into Prince Phillip’s Prestel account which stated “password” and “fred” were the most common passwords. The book got banned after a few years.

  89. joelfinkle says:

    ’bout 15 years ago, I was doing computer support, and the system required changing passwords every 90 days. Just about every executive admin used “spring”, “summer”, “autumn” (fall was too short) and “winter” until the system started requiring non-repeated passwords, at which point all you had to do was append the last two digits of the year…

  90. Anonymous says:

    I’m amazed that nothing related to shows like Pokémon and Digimon aren’t on there, unless I missed a few.

    At first, I didn’t understand what QWERTY was, until I noticed that you start from Q and go along to Y.
    Such lazy people.

    Why have Passes like that if other people use them?

  91. Anonymous says:

    The most common password that I see is the password is the same as the username (about 90%), or some variation thereof (add a 1, 123 or the username backwards) – and a quick test on a database with 1000s of users shows that the username-based passwords get more hits than the whole list of 499 here.

    Of course if I add a dictionary the hit rate increases by 300%

  92. Daemon says:

    I don’t know about zeus, but I’m with #21 on the list being suspect for not having “god” on it. Every other “passwords you should never use” article, list or whatnot I’ve ever seen has always put god pretty high up on the list.

  93. Bonnie says:

    And what the hell is wrong with “Slayer” !?
    I suppose “Bon Jovi” would be a better password?

  94. Anonymous says:

    How did he get that list in the first place,
    aren’t passwords on enterprise grade systems supposed to be one-way encrypted?

  95. Anonymous says:

    no “admin” or “passtemp” ? wtf

  96. Anonymous says:

    ok! thanks! i love it very much!

  97. Anonymous says:

    I know a guy who had a password ‘abcdefghij’

    I hacked him sooooooooooo many times

  98. querent says:

    I would have thought “thx1138″ would have been pretty good. hm.

  99. Anonymous says:


    is the name of a very popular deity in south india – SrInivas – and hence a very popular/common name in south india.

  100. Anonymous says:

    my password is ********

  101. Anonymous says:

    Vote for 1234567 (39th) since 123456 is 1st and 12345678 is 3rd.

  102. adunaphel13 says:

    the admin password for my router and the passcode is so secure i had to write it down on a piece of paper and slip it inside the CD case for the installer.

  103. adunaphel13 says:

    “are so secure” and “write them down” and… oh shucks, you guys get the point.

  104. iamcantaloupe says:

    “Okay, what are the three most commonly used password?”

    “Uhhh, love, sex… and uh… secret!”

    “And don’t forget God man. System administrators love to use God, it’s that whole male ego thing.”

    “Hey man, who ate all my fries?”

Leave a Reply