"Worst passwords" of 2011

SplashData, a company that makes password management tools, has released a roundup of 2011's "25 worst passwords," gleaned from password-dumps posted by "hackers" (presumably, sources like the Lulzsec Sony password files). I can't locate the actual study and its methodology (are these passwords "worst" because they're the most common, or because they contain the least entropy? Is the sample set representative?) but the list is still informative, and, of course, it can give a warm glow of superiority to those of us with stronger passwords.

1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine 16. ashley 17. bailey 18. passw0rd 19. shadow 20. 123123 21. 654321 22. superman 23. qazwsx 24. michael 25. football

Passwords have been a recurring theme this year, and it's becoming increasingly clear (to me, at least), that passwords may be reaching their end-of-life on the Internet.

25 Worst Passwords of 2011 [STUDY]


  1. Maybe they were chosen as “worst” on aesthetic grounds.

    “password” and “letmein” are both pretty bad groaners.

  2. The funniest entry here has to be qazwsx.  I bet the people entering it must marvel at the simplicity of their super cryptic password.

    I can’t quite figure out the popularity of monkey and dragon though…

    1. That, or it’s very easy to do. A lot of people at my office use variations of that- IT has it set up that we have to change our passwords every 4 weeks to something that hasn’t been used in the last six password changes.

      So you get a cycle of stuff like, oh, qazwsx followed by qazwsx123 followed by 123qazwsx so on and so forth.

      We’re just a small girl scout council. Especially in my department, we don’t have much that’s confidential or valuable or useful for non-Girl Scout purposes. Stupid passwords are more a result of security not really being a priority compared to just being able to get on to the computer in the morning with a minimum of fuss for those who haven’t yet had their coffee.

    2. It may derive from the Chinese zodiac and refer to the user’s birth year. Although I’m not sure why the years of the monkey and dragon would be represented more than the others…

  3. This is a tricky idea to put into words, but I wonder what the stupidest password in relation to the power of the information it protects is. I mean, is there someone quite high up in the FBI or CIA whose password is “football”?
    I hope so.

  4. “9. trustno1″

    The fact that an X-files reference is in the top ten either makes me very happy or very sad.

  5. I would be happy if I could just use emo-band sounding semi-sentences as my password.  “pa55w0rd” is not as good as “thestrangelonelinessofscarecrows” or whatever.

    1. Actually, Mord “thestrangeloneliness….” is not such a bad PW.  It’s easy for you to remember.  but so long that no random testing of it will likely succeed.

  6. I’ve just been given access to the admin system at work, and passwords have to be alphanumeric with caps, and they change every couple of months. Groan
    It’s bad enough with all the bloody passwords I have to try to remember, now I have another that keeps changing. Thing is, it’s in a completely secure environment that no ‘civilians’ have access to, and is completely firewalled.
    Oh well…

  7. So obviously, there’s this xkcd that’s relevant.  The problems:
    -remembering the order of a four-word arbitrary phrase is nearly impossible (for me at least, I know it’s technically only 2 bits but apparently my brain is not a Turing machine)
    -many systems cap max length of passwords (which is stupid if it’s anything less than, say, 32 character limit)
    -many systems require special chars, numbers, etc. anyway

    New strategy: use cryptic two-word phrases with repeating characters (try googling your phrase; if it’s the title of any article on wikipedia get a new phrase).  Only use character substitutions on repeating characters and, this is the real kicker, use both the original character AND the substitutions.  This guarantees that cracker substitution algorithms have to loop through each character trying each possible combination of originals and substitutions rendering the substitution strategy nearly useless.  A substitution algorithm that just naively subs out all of one type of character would never get your password.

    1. A sentence isn’t a very good idea either because there are plenty of dictionary-based cracking tools. The best password would be 20 odd characters of random digits, characters and symbols that don’t stand for anything or have any personal meaning. It’s just a matter of memorization.

      1. Yes, exactly.  That’s why I advocate cryptic two-word phrases that are meaningless to everyone but you and character substitution schemes designed to frustrate character substitution algorithms.

  8. many of these web login/passwords seem really pointless but so it goes.

    I started using a simple formula for fairly good security passwords that are unique to the service and easy to remember:

    Take the name of the service you are logging into  e.g. boingboing
    use the first and last n characters – typically 3
    insert a secret character sequence in the middle e.g. Yr666#, that is used for all passwords
    get boiYr666#ing

    or herYr666#tz
    or daiYr666#kos

    etc. etc.

    1. I’ve been using a very similar strategy for the last few years and it works really well.  Each site ends up with a specific password (so if one is compromised, I don’t lose everything), but they’re all easy to remember.

    2. I switched to that style when Gawker handed out everyone’s passwords last year. At least now when there’s a breach everything isn’t impacted.

      1. Except that it is.  If your supersecret boingboing password is boi$5497ng and your yahoo password is yah$5497oo, I think I’ll be able to guess what your hotmail one is and just run it out over amazon and paypal as well.

      2. Actually, the breach DOES impact everything. The alert reader who gets your password for BB, say, ‘boiKR55ing’, then knows that banKR55ica is your BofA password.

  9. Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass. In that case it doesn’t matter how good your password was, all that matters is that it’s not your one and only password to unlock everything you do on the web.

    1. Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass.

      Even when a whole database is lifted it helps if the users have bothered to use secure passwords (providing the database has been appropriately encrypted).  Passwords like “password” are bad exactly because they’re common allowing the use of rainbow tables to crack encrypted password databases. 

      In other words, using crappy passwords ruins security for everyone so don’t do it.

      Edit: hack -> crack. Let’s take it back.

  10. I’ve recently been changing all of my passwords to 8+ digit/letter combos because of Gmail’s requirement for an 8 character password and I simply cannot keep all of my passwords in my head.  What really gets me are all of the requirements:  one capital one number one symbol no three characters repeating in a row….  my passwords end up looking like I fell asleep on the keyboard.  How can I remember my somnabulant password entry???

    1. ZOMG, I’m having password issue right now.  I was complaining about Gmail but I really meant Apple (as in Apple ID).   Great. I think I may have to go write my Apple ID on the back of my iPhone for future reference, as I can’t seem to remember the password from one use to the next. 

      Letmein was also a very good horror flick, in case you need more of a reason to use that password. 

  11. One password that doesn’t make it in the top ten lists because of it’s inherent uniqueness is the username.

    I’ve lost count how many email addresses passwords I’ve seen that were the username.

  12. I don’t know gmail’s rules, but they accept passwords with more than eight characters. Maybe it’s an eight character minimum?

    I don’t know if its accurate regarding security of long simple passwords versus short complicated passwords, but the xkcd comic linked above offers useful advice for generating a memorable long password.

    Edit: was intended as response to Shibi_SF, but apparently typed in wrong box. And now Shibi_SF says they didn’t mean gmail anyway.

  13. This reminds me of that part in, “Surley You’re Jokind Mr. Feinman” when he guesses Nihls Bors’ safe combination.

    For some reason Feinman felt that Bohr would use a date for the combination so he just ran every date in the range of the last 30 years or so and got the combination pretty quickly.

    The moral of the story is *don’t use dates*, because there are less of them than you might think.

  14. Song lyrics and such are your friend. They can be used in one of two ways: “takealittlerideonthemixersface” if you need sheer length (great for 802.11 passphrases) or if you want mixed-case alphanumeric, “T4lR0tMf”. I suggest appending something site-specific to avoid password reuse, and there are a few different strategies for that. One is that you could have “T4lRotMfhf” for your BoingBoing password and “ T4lRotMfnq” for your HotMail password (“bb” and “hm” incremented by 6 and 4 characters).

    And as mentioned above, if both passwords are shown in the clear someone could figure out that pattern and thus deduce any of your other passwords that are based on the same scheme, but that’s a pretty rare and drastic scenario to be defending against, and therefore probably not worth the effort for most things. And even so, adding a single special character to denote high value passwords would protect against that while still not hampering memorability.

    1. I used to do that too, but now I try to discourage the use of song titles, lyrics, and musical acts.  Again, if your password is the title of an article on wikipedia, it is not a good password.

  15. Wow… in what culture is “bailey” such an all-fired popular word?  I’d expect to find “swordfish” much, much higher up than that.

  16. You want a password that’s easy to remember but hard to guess?  Simple.  Take a word you like, like “password”, and pad it with a bunch of one character at a location of your choosing.  For example, “password0000000000″.  There, a long password that’s easy to remember but absolute hell to brute force.

    1. But some accounts like apple(?) restrict the use of repeating characters. They say: no three repeats in a row. ;(. Otherwise, I do like your idea and I would do that in a h34rtb34t!

  17. Switched telcos recently for a new landline/broadband bundle. Biggest telco in Australia. They created a new account for me… AND GAVE ME ONE OF THOSE “WORST PASSWORDS” AS MY INITIAL PASSWORD. (and yes, I changed it immediately)

    If the largest telco in Australia—even if you think of them as a small fish in a “big pond”, globally speaking—is using these passwords by default for new accounts, what’s the likelihood there’s more than a handful of their users out there still using them? And for those who take security a little more seriously… what hope is there for us?? o.O

  18. With the prevalence of keyloggers, passwords simply aren’t very secure anymore. In my professional life, I work for a company that provides a b2b service. We have recently had to deal with a number of customers whose credentials were stolen after phished users unknowingly installed keyloggers on their work machines. Passwords are only as secure as your most credulous user.

    It’s all fine and good for us to do our best not to be that most credulous user, but when designing systems in the first place, it’s important to realize that those credulous users are out there. We can try to educate as much as possible, but that’s never going to be good enough to prevent someone from clicking a link to see some “wedding pictures” a supposed lost friend is sending them.

    With that in mind, passwords aren’t the last word in security. If we want to be secure, we have to use multiple strategies to verify users rather than depending on a single, easily-compromised strategy.

    1. I would really prefer a retinal scan or fingerprint scan… Something that doesn’t require me to remember so many multi-character alphanumeric passwords. Please tell me that retinal or fingerprint scans are coming soon!

    1. Biometrics keeps getting cheaper, and it’s hard to fake a fingerprint or a retina. Of course then instead of password thefts we have mutilations.

  19. I have come to one of three conclusions:
    1) People with the names: ashle, bailey, and  michael are stupid. Avoid at all costs.
    2) The method to which hackers acquire passwords may only break the stupid ones.
    3) Hackers probably share information, causing duplication, making statistical analysis stupid.

  20. To create a password similar to this password:  meoadeoalleiakwei2wy

    1.  Take a phrase from *any* song, the more obscure the song, the better. Use the first letter of *each* word in that phrase.
    2. Any word in the phrase that sounds like 2, 4, 8 or 10 (to/two/too, four/fore, ate, tin) use the number(s) in place of the first letter.

    Mares Eat Oats And Does Eat Oats And Little Lambs Eat Ivy, A Kid Will Eat Ivy to (2) Wouldn’t You?
    (From: Mairzy doats by Kay Kyser) [Mairzy doats and dozy doats and liddle lamzy divey
    A kiddley divey too, wooden chew?]
    I did this with an original song my dad wrote that only my family knows. It’s pretty secure. I can type it as quickly as my own name: 22 letters and numbers. You will NEVER forget it. Impossible! Just don’t  go around your friend or strangers singing the song. LOL!

  21. Using one basic password with some extra characters the represent the site works fine until some dildo site restricts me to 8 or 10 characters or forces me to use a capital letter and/or a symbol. Three random words strung together is more secure than p4ssworD! but security people for these sites don’t seem to realize this.

Comments are closed.