Top 500 worst passwords

Top10Pawrd From Mark Burnett's 2005 book Perfect Passwords: Selection, Protection, Authentication, a table of the "Top 500 Worst Passwords Of All Time." (via Beschizza's Twitter)

UPDATE: As the site is down, here's the whole shebang:

NO Top 1-100 Top 101–200 Top 201–300 Top 301–400 Top 401–500
1 123456 porsche firebird prince rosebud
2 password guitar butter beach jaguar
3 12345678 chelsea united amateur great
4 1234 black turtle 7777777 cool
5 pussy diamond steelers muffin cooper
6 12345 nascar tiffany redsox 1313
7 dragon jackson zxcvbn star scorpio
8 qwerty cameron tomcat testing mountain
9 696969 654321 golf shannon madison
10 mustang computer bond007 murphy 987654
11 letmein amanda bear frank brazil
12 baseball wizard tiger hannah lauren
13 master xxxxxxxx doctor dave japan
14 michael money gateway eagle1 naked
15 football phoenix gators 11111 squirt
16 shadow mickey angel mother stars
17 monkey bailey junior nathan apple
18 abc123 knight thx1138 raiders alexis
19 pass iceman porno steve aaaa
20 fuckme tigers badboy forever bonnie
21 6969 purple debbie angela peaches
22 jordan andrea spider viper jasmine
23 harley horny melissa ou812 kevin
24 ranger dakota booger jake matt
25 iwantu aaaaaa 1212 lovers qwertyui
26 jennifer player flyers suckit danielle
27 hunter sunshine fish gregory beaver
28 fuck morgan porn buddy 4321
29 2000 starwars matrix whatever 4128
30 test boomer teens young runner
31 batman cowboys scooby nicholas swimming
32 trustno1 edward jason lucky dolphin
33 thomas charles walter helpme gordon
34 tigger girls cumshot jackie casper
35 robert booboo boston monica stupid
36 access coffee braves midnight shit
37 love xxxxxx yankee college saturn
38 buster bulldog lover baby gemini
39 1234567 ncc1701 barney cunt apples
40 soccer rabbit victor brian august
41 hockey peanut tucker mark 3333
42 killer john princess startrek canada
43 george johnny mercedes sierra blazer
44 sexy gandalf 5150 leather cumming
45 andrew spanky doggie 232323 hunting
46 charlie winter zzzzzz 4444 kitty
47 superman brandy gunner beavis rainbow
48 asshole compaq horney bigcock 112233
49 fuckyou carlos bubba happy arthur
50 dallas tennis 2112 sophie cream
51 jessica james fred ladies calvin
52 panties mike johnson naughty shaved
53 pepper brandon xxxxx giants surfer
54 1111 fender tits booty samson
55 austin anthony member blonde kelly
56 william blowme boobs fucked paul
57 daniel ferrari donald golden mine
58 golfer cookie bigdaddy 0 king
59 summer chicken bronco fire racing
60 heather maverick penis sandra 5555
61 hammer chicago voyager pookie eagle
62 yankees joseph rangers packers hentai
63 joshua diablo birdie einstein newyork
64 maggie sexsex trouble dolphins little
65 biteme hardcore white 0 redwings
66 enter 666666 topgun chevy smith
67 ashley willie bigtits winston sticky
68 thunder welcome bitches warrior cocacola
69 cowboy chris green sammy animal
70 silver panther super slut broncos
71 richard yamaha qazwsx 8675309 private
72 fucker justin magic zxcvbnm skippy
73 orange banana lakers nipples marvin
74 merlin driver rachel power blondes
75 michelle marine slayer victoria enjoy
76 corvette angels scott asdfgh girl
77 bigdog fishing 2222 vagina apollo
78 cheese david asdf toyota parker
79 matthew maddog video travis qwert
80 121212 hooters london hotdog time
81 patrick wilson 7777 paris sydney
82 martin butthead marlboro rock women
83 freedom dennis srinivas xxxx voodoo
84 ginger fucking internet extreme magnum
85 blowjob captain action redskins juice
86 nicole bigdick carter erotic abgrtyu
87 sparky chester jasper dirty 777777
88 yellow smokey monster ford dreams
89 camaro xavier teresa freddy maxwell
90 secret steven jeremy arsenal music
91 dick viking 11111111 access14 rush2112
92 falcon snoopy bill wolf russia
93 taylor blue crystal nipple scorpion
94 111111 eagles peter iloveyou rebecca
95 131313 winner pussies alex tester
96 123123 samantha cock florida mistress
97 bitch house beer eric phantom
98 hello miller rocket legend billy
99 scooter flower theman movie 6666
100 please jack oliver success albert


  1. This is the third time I’ve seen a link to this list, yet I’ve never seen the actual list due to the site being destroyed by the incoming traffic.

  2. “So the password is: ‘12345’?

    That’s the stupidest password I’ve ever heard! That’s the kind of thing an idiot puts on his luggage!”

    At least essential one thing I need to know for IT, I learned from SpaceBalls.

  3. In my experience in average the most repetitive passwords are “test”, “temp”, “asdf” Also there were quite a few passwords that had some simple name with “123” after.

    As a Microsoft security expert once suggested. The best passwords (when the field allows it) are made of a simple and long phrase. It is easy to remember and impossible to guess.

  4. the best password generator I’ve heard of is the acronym for a simple phrase, which generates nonsense, but is easy to remember. such as
    “this password is nonsense but is easy to remember”
    provides the password

  5. For those of you finding that the site is down, this appears to be a mirror:

    I see no credit to the original site at the moment though. It would seem fair to me if the author of the post mentioned the original source.

    As far as the list goes, I really thought ‘admin’ would be on it. admin/admin is a default setting for the administrative interface for ALL the Wlan router types I set up so far (mind you, that’s not a big number, but still).

  6. When I was a mainframe applications developer, all systems went into production with some test passwords still in the code. By accident, of course. If you’re ever stuck in a CICS screen* & can’t get through, you might get lucky with ‘9999’. It’s worth a try.

    *Now about as likely as needing the carburetor on your car adjusted.

  7. Yes, I too am surprised about the lack of any default passwords on the list.

    I am going to guess admin before I guess blowjob.

  8. I always liked passwords that use phrases you know by heart but aren’t obvious. Even if they see you type bbroygbvgw they aren’t going to be able to remember it long enough to write it down unless they are old electricians.

    Another way to do it: pick some song lyrics, throw in a symbol and another string and you have an amazingly secure password: aobtd^egbdf (Hint, the first one is popular queen lyrics, the second you should know, and may actually be too common to use)

  9. Ha! Dig the shout-out to Tommy Tutone at #371. That damn song is forever stuck in my head for having listened to a girlfriend’s brother’s band rehearsing it in her basement one looong summer.

    “I got it (I got it), I got it…”

  10. There are hacking programs that try out multiple passwords to see which one works. The best ones have specialized dictionaries and use different letter and number combinations. Over time, these programs are supposedly able to crack half of all passwords except for the most difficult ones.

  11. How about “Top 500 worst English passwords”?

    I find that using 2-3 simple words in multiple other languages makes for a fine password.

  12. I once hacked the cc:Mail system at a, um, well, a large tech company in Austin. The most common password — one of the few that showed up more than once — was “JESUS”.

  13. This list can actually be used to dress the most psychological profile of those common users. Lots and lots of sexual frustration I see…

  14. @Zan,

    Given the font on this page (Garamond?), I think one of those “o” passwords is actually a zero (0).

    That’s just my guess. Maybe the font on the actual site or its mirror makes it easier to parse.

  15. This list is pisspoor for not including the obvious “god” and “zeus”. I can attest to how popular these were among high school systems administrators and public librarians during the mid 90s!!!

  16. I assume that sexsex comes from sex being rejected as too short a password. Hmmm. What could I use instead?

  17. Yeah, my default password, and my other passwords aren’t on the list! It’s probably 501 though.

  18. ’bout 15 years ago, I was doing computer support, and the system required changing passwords every 90 days. Just about every executive admin used “spring”, “summer”, “autumn” (fall was too short) and “winter” until the system started requiring non-repeated passwords, at which point all you had to do was append the last two digits of the year…

  19. I don’t know about zeus, but I’m with #21 on the list being suspect for not having “god” on it. Every other “passwords you should never use” article, list or whatnot I’ve ever seen has always put god pretty high up on the list.

  20. And what the hell is wrong with “Slayer” !?
    I suppose “Bon Jovi” would be a better password?

  21. “Okay, what are the three most commonly used password?”

    “Uhhh, love, sex… and uh… secret!”

    “And don’t forget God man. System administrators love to use God, it’s that whole male ego thing.”

    “Hey man, who ate all my fries?”

  22. My firewall warned me that this site tried to access ‘’, which is apparently a malware site. Fortunately, the firewall blocked it.

    :pats firewall software:

  23. Casper? Hmmm. These passwords sounds like beatnik poetry where read aloud from left to right. I suspect a coupla band name’ll arise from this list.

  24. Anyone have any idea how “abgrtyu” made it on to the list, or what it stands for?

    Google thinks that it should be “abg rtyu” and suggests that “abg” means “accidental boob/bum graze/grab” but had no similar suggests for rtyu.

    This is bothering me. If anyone knows, I’d be grateful for resolution.

  25. Make that Top 499 worst passwords

    Number 358 and 365 are the same “0”

    Also, I doubt any program that requires a password would accept “0”, a single character password.

    Maybe we could replace one of the “0”s with a password that is one of the few things Richard M. Stallman and I have in common – a preference to use the “enter” key as our non-password password.

    That is arguably the worst password, and I didn’t see it on the list, though the word “enter” is listed…

  26. Thraxamer said:

    Given the font on this page (Garamond?), I think one of those “o” passwords is actually a zero (0).

    The linked-to page HTML source shows this as the number zero, listed twice. I grabbed the list, shoved it into a spreadsheet and sorted the results, and it came up as two identical digits, the number zero.

    Conclusive, no, but indicative of a typo/repeated password at the least…

  27. I want to know how many people under 25 even have a clue as to what THX1138 even is? Hell I could ask most people over 30 and I bet less than 20% would have a clue.

    And I agree about god. I thought for a min that the list was at least 4 characters long, that was until I saw o twice….

    Frankly if you are techy you probably either have a decently secure password, or something stupid as like ZOMG!…or N00B or WTFBBQSauce!!!1111


  28. Comment from the site about the double 0 issue:

    “On the comment that the number zero shows up twice, I would have to bet that is a formatting issue. With most spreadsheets, “000″ or “0000000″ would be converted to “0″ by default. So if this had been stuck into a spreadsheet that was not formatted as “text,” this conversion would have taken place automatically.”

  29. I like to use foreign phrases re-spelled into nonsense English. For example, “s’il vous plait” becomes “SeaVooPlay,” or “SillVousePlate,” or something like that. Add a few numbers if required. (S33VooPlay…) and, at least according to Google’s password strength checker, they tend to be pretty good.

  30. The last place I worked, the new IT manager objected (rightly) to the use of ‘god’ on various systems. He asked me to go and change them all, which I did. When he asked me what the new password was, I told him: ‘deity’.

  31. Oh good, I was smart and added 123 after asd, I guess I’m safe. That was for an old website though. On the downside, the password for the eWallet on my phone is on that list. Guess I should rethink it, I just didn’t want to type in a complicated password on the phone. At least it’s not in the top 200. :)

  32. I was happy to see that “letmein” is still in style…Ah, the happy days of Novell…

    I remember spending most of high school running around to different classrooms using that backdoor to help teachers who forgot their passwords.

  33. There was a hackers handbook in the 1980s by a chap who’d hacked into Prince Phillip’s Prestel account which stated “password” and “fred” were the most common passwords. The book got banned after a few years.

  34. The most common password that I see is the password is the same as the username (about 90%), or some variation thereof (add a 1, 123 or the username backwards) – and a quick test on a database with 1000s of users shows that the username-based passwords get more hits than the whole list of 499 here.

    Of course if I add a dictionary the hit rate increases by 300%

  35. How did he get that list in the first place,
    aren’t passwords on enterprise grade systems supposed to be one-way encrypted?

  36. rundgren@10

    rush2112 FTW!

    AAPOTSF – Attention all planets of the Solar Federation!


  37. I’m thinking that some government agency needs to be monitoring what some of these people are doing on the Internet!

  38. I’m going to have to second the question:

    Why “abgrtyu”?

    It’s pretty much the only one on the entire list for which I can’t fathom the use of, much less the easy guessing of…

  39. @38 bcsizemo: “I want to know how many people under 25 even have a clue as to what THX1138 even is? Hell I could ask most people over 30 and I bet less than 20% would have a clue.”

    I’d say it’s more than you’d think, since as Lucas’ first feature-length movie anybody who is into film/geekdom will have at least heard of it at some point. Whether or not they’ve seen it is a different story. You might have better luck using “THX-1138 4EB” as a password though, or any of the random character names.

  40. “srinivas”

    Google and wikipedia seem to think that this is the name of an electric mandolin player. He appears to be prominent in India, but he’s played all over the world, and with western musicians.

    I just can’t figure out why he would be on this list. I’d never heard of him before, nor had my mother. It doesn’t seem he was ever particularly popular in the west. There don’t seem to be any other indications of non-American culture or language on the entire list.

    It seems unlikely that this snippet of Indian culture would filter through alone. Is there some reason that this particular artist would make the list? Perhaps an unusual popularity among IT professionals, or some famous other association for the name with which I’m unfamiliar?

    Or did the just try to filter out all of the foreign language passwords, and miss one?

  41. I refuse to believe that “password” is not #1. This gross error casts doubt on the entire list.

  42. ‘chester?’

    Doesn’t strike me as nearly as common as something like ‘admin’ or the others.

    Was there some movie with Evil Archvillain Chester or something that I missed?

  43. These might be the most popular passwords, but none of them are any worse than another. Any password that is present on the common password lists is equally bad, because cracking software doesn’t get bored and give up at number twelve, it tries them all. The least common English word in the dictionary is exactly as bad as the first password on this list.

  44. I figured you can increase your security at the actual keyboard while entering a password by incorporating a “mistake” or two & using the backspace key. However, a very attentive onlooker might notice this as well.

  45. There’s a very good password generator built into Mac OS X, Password Assistant. In System Preferences, click Accounts, then Change Password. You won’t change your password, just borrow the password generator.

    Click the key icon. Now, click Cancel in the change password sheet. Your account password is unchanged, and the Assistant stays on screen.

    Now you can pick different password types from the Type popup, pick one from the Suggestions list, or type one in and look at the Quality indicator to see if your entry is secure enough. Password Assistant will give you the tough love you need.

    If you need help remembering your secure password, don’t use Stickies. Launch Keychain Access. Choose File menu/New Secure Note, and store your password. Your login password will unlock the note if you need to see it.

  46. We ran a scan once of about 100,000 e-mail addresses in our system and found a huge proportion had either the numbers “007” or “69” in them. A lot of guys either horny or harbor James Bond fantasies or both.

  47. the admin password for my router and the passcode is so secure i had to write it down on a piece of paper and slip it inside the CD case for the installer.

  48. I tend to use an 11 letter password, exchanging I’s for ones, and O’s with zero, which gives me a medium secure result. However, for real security, gibberish is best, or special characters like €…¼¥vP-kï·8â›ú£d+ËÖ™|¹¤ÙTâ¢).

  49. I create excellent hard-to-break passwords by using alt+keypad combinations on my stoopid windoes computer:

    alt+0222 is Þ
    alt+0241 is ñ
    alt+0153 is â„¢
    alt+0169 is ©

    You g¡t thé drift…

  50. I think “abgrtyu” is a plagiarism preventer, to be able to tell when another site has stolen the list. Similarly, dictionary publishers like to add a fake word to each edition of their dictionary to make sure no one’s stealing content.

  51. To #37 #19 and #6 regarding the appearance of two zeros in the list. Best explanation I saw on this was spreadsheet truncation. Depending on your settings any length of string consisting of only zeros stands to be truncated into a single zero. Not sure if it was truncated in the original or in the process of moving. But it seemed like a good reason and though I would virus it on over.


  52. Lol i like # 144. (Trying to hack password)”What is it, qwerty, no, 123456, no, wait i got it, gandalf, yes it worked”

  53. I’ve always gone by Clifford Stoll’s (author of “The Cuckoo’s Egg”) idea for passwords: two or three short words along with a number.

    It’s easy to remember and hard to crack, especially if you use words in languages other than English and in different orders.

    Examplea: oui62bub, tadquoi99, icktern153

    Any password can be broken in time by brute force (testing all possible alphanumeric passwords one by one) so these are as secure as any.

  54. The site is no longer down, so the full list could be removed.

    I’m glad to see nobody advocating case sensitivity in passwords here. For the extra bit of information it adds per letter (actually, usually an extra bit per password, since people generally capitalise only the first letter), it gives a huge feeling of false security, and causes a great number of helpdesk calls by people with the caps lock key enabled.

    No password or system which relies on the state of the shift key for security is secure.

    I suspect this list is culled from a specific company or collection of them, and so has a bias to the region: hence why an Indian artist gets in, and admin and changeme don’t.

    Me, to a friend in the US: “I’ve got the worst possible password for my account. You get one guess.”

    Friend: “changeme”

    Me: “bingo”.

    We had not previously discussed password security. I’d be surprised to see that password missing from any true, non-regionalised list of bad passwords.

  55. Ok, so is this a list of the most common passwords? Is that what makes them the “worst?” I’d like to know the criteria. I am assuming that being published in a big list on BB is one.

  56. What’s so funny is that I’ve known people who used these passwords. Basically, the same people that will tell you their password if you ask!

  57. The strength of your password depends on how the password is going to be used and what kind of access and attacker has to the system. You just need your password to be stronger than the weakest link in the system so that it isn’t the weakest link. For example, for your car, your windows are the weakest link, so upgrading your car’s locking mechanisms will not gain you anything in terms of security. The attacker won’t bother with your password, but go for whatever else is weaker (i.e. smashing the window). Strong passwords tend to take longer to type and are easier to forget, so you want it to be just strong enough, but not too strong. You don’t want to spend an hour typing in your super-strong password (let alone memorizing something like that!). Also, if you make them too strong they become weak because you will write them down.

    (There would also be no point in making them longer/stronger than the hash function that the system ultimately runs them through. Also, by “strong” here, I mean “hard to brute force”.)

    If the password is simply providing access to the system at a single terminal, like your home computer, most of the passwords on this list would probably do. It is to keep your friends from playing pranks on you, or to keep your children away from your porn collection (or whatever else you collect, you perv). “Locks keep out only the honest,” they say. Your hardware is sitting right there, and therefore an attacker has physical access to the machine. He can bypass the software that checks the password using that physical access (directly modifying the hard drive, using a live CD, etc).

    If your home computer is locked up in a closet, you still don’t even need a very strong password, because your software can limit the amount and frequency of attempts. The attacker could be limited to, say, 10 guesses before locking them out. The closet door will already be the weak security link. In fact, it would probably be much easier to kick it in or pick the lock (and picking most locks is actually very trivial!) than guess a bunch of passwords.

    Then there are systems where your password is sent in plaintext, like telnet logins and most websites (including BoingBoing). If you ever use these services at the coffee shop on their wireless connection, you just broadcasted your password to everyone in the area. Strong or weak, your password doesn’t matter once you did that.

    As a side note, with systems accessible from the Internet, someone controlling a botnet could potentially make many guesses at your password because it would appear to be many different people each making a few attempts rather than a single person making many: harder to stop. This is why these days they say you should go passwordless when using ssh, using the generated keys instead (I don’t do this … yet). However, even with a botnet, the attempts would be much fewer than someone brute forcing your encryption, leading to …

    When it comes to encryption you need to start having strong passwords, or even passphrases (depends on who you want to keep out). This is where an attacker will be able to make many billions of brute force attempts at his leisure, which he can’t do when guessing your webmail password. He could even have a bunch of computers work at the problem. The faster he wants to crack it, the more computers he will need and the more expensive it gets. This is why (plain) DES has been depreciated, because someone can crack any DES encrypted message with around $10k of hardware.

    Most passwords won’t do in this situation because you need something very hard to guess. It needs to stand up to all that guessing. Of course, you can go overboard here too. Having an entire paragraph as your passphrase (a passparagraph?) would be overkill if you don’t have a major military guarding your computer hardware and home. It would become so expensive to brute force that it would simply be cheaper to break into your home and install a keylogger (now the weak link). Or they be less subtle and get out the rubber hoses or throw you in jail (like the UK does when you won’t give them your encryption keys).

    Anyway, if you are still with me, my favorite way to generate passwords and passphrases is with Diceware. All you need is some six-sided dice, so break out your Monopoly board. Independent of the computer, it makes easy-to-remember passwords of adjustable and measurable strength that are also very easy to type: they are just words. I usually just use them as a lowercase series of words: 2 for a password, 5-10 for a passphrase. Unfortunately, many systems will incorrectly tell you (there are lots of crappy programmers out there, and they all mess up e-mail validation too) these are bad passwords and not let you use them, so you might have to spunk them up with some capitals and odd characters to please their idiot circuits.

  58. To create a strong password just combine 2-3 of these “bad” passwords together horizontally…Hilarity will ensue!

    For example:

    crystal nipple scorpion
    nicole bigdick
    pussy diamond
    muffin cooper
    pass iceman porno
    suckit danielle

    See what I mean? Good luck hackers!

  59. Just because this may be useful to people – the best password ‘manager’ I’ve come across for the web is the (Website, downloadable java package, and firefox plugin, all do the same thing.) which hashes a master password with the sitename.url for a given website for a non-random but non-guessable password.

    You do need to remember four things to use it on different systems – your master password, the hash system (MD5, SHA-1, etc), password length, and list of legal characters (alpha, alphanumeric, alphanumeric+symbolic, etcetera).

    But with those four things you can reproduce your password for any website from the plugin, the website, or the java download, and if one particular website, credit card company, et al get’s hacked you haven’t had *every* website you use compromised.

  60. I had to explain to someone that just because the screen showed ******** – that was not a suggestion for her password ;)

  61. i find the most secure passwords are just an easy to remember word written in 1337. alternate caps and numbers. “p4s5W0rD” is alot more secure than “password”.

  62. abgrtyu – think about it!

    Try typing it with one hand, first comes the A, and then you lift your hand off the keyboard and go to the B, After the B you simply drag your finger across the rest of the letters GRTYU.

    In case you dont get it, its easy because after the A, every letter is next to each other on the keyboard.

    A BGRTYU see?

  63. #89: It’s a common myth that these forms of obfuscation are worthwhile. However, p4s5W0rD has only about 16 bits more potential randomness than the unmunged word “password”: one bit per letter for the number substitutions, and one bit per letter for the capitals. Most cracking scripts are well aware of number substitution and case shifting, so neither adds anything significant to the password. Adding three additional characters would be easier to remember and to type, and harder to crack: passwordskx, for example.

    However, as has already been said, it is all relative. 16 bits more protection is 16 bits, and if you’re not protecting something important enough to tunnel encryptedly over the wifi, and use a full passphrase, then sure, messing with case and kiboizing the text will add some small layer of protection.

  64. I’m not techy at all, but I have used those weird alphanumeric codes that you must decipher when getting a new email addy. I also use only the first letter of a foreign language phrase with a few numbers that mean something to me, thus easy to remember. They show as “strong”. I don’t live in California, but I love their license plate numbers.

  65. “Nos0illegitimi1non2tatum3carborundum.”
    BEAT that password (and yes i use the quotations also) :-P

  66. Secure passwords are easy if you simply take your favorite lyrics or sayings and use the first letter of each word.

    They can be really long and then throw in the name of the site or group you are working in so the bots don’t guess it.

    GMAIL PASSWORD = bjinmlsjagwctiatoggmail

    “Billie jean is not my lover
    Shes just a girl who claims that I am the one”

    Easy to remember and HARD to crack

  67. I’m amazed that nothing related to shows like Pokémon and Digimon aren’t on there, unless I missed a few.

    At first, I didn’t understand what QWERTY was, until I noticed that you start from Q and go along to Y.
    Such lazy people.

    Why have Passes like that if other people use them?

  68. This is just for a laugh, you may find some more funny combinations than I did. Have you tried to build whole sentences out of the bad passwords? Look at line 34 or line 58 – is it a hint of Tiger Woods passwords? :)

  69. the best password is virus so that when hackers are hacking and the password displays to them they read Virus and they will be like we got an error and they keep trying lol :p

Comments are closed.