"Worst passwords" of 2011


68 Responses to “"Worst passwords" of 2011”

  1. nosehat says:

    Maybe they were chosen as “worst” on aesthetic grounds.

    “password” and “letmein” are both pretty bad groaners.

  2. Lobster says:

    I hope they figure out something better.  I’m sick of corporations losing my passwords.

  3. Zero Sonico says:

    So this are the first 25 passwords we have to try when trying to get into someones account?

  4. Glippiglop says:

    The funniest entry here has to be qazwsx.  I bet the people entering it must marvel at the simplicity of their super cryptic password.

    I can’t quite figure out the popularity of monkey and dragon though…

    • novium says:

      That, or it’s very easy to do. A lot of people at my office use variations of that- IT has it set up that we have to change our passwords every 4 weeks to something that hasn’t been used in the last six password changes.

      So you get a cycle of stuff like, oh, qazwsx followed by qazwsx123 followed by 123qazwsx so on and so forth.

      We’re just a small girl scout council. Especially in my department, we don’t have much that’s confidential or valuable or useful for non-Girl Scout purposes. Stupid passwords are more a result of security not really being a priority compared to just being able to get on to the computer in the morning with a minimum of fuss for those who haven’t yet had their coffee.

    • Ryan Black says:

      It may derive from the Chinese zodiac and refer to the user’s birth year. Although I’m not sure why the years of the monkey and dragon would be represented more than the others…

  5. Glenn Curry says:

    And so many complain of password complexity in this day. 

  6. I feel relieved that none of my passwords are on there.

  7. CiaranD uffy says:

    This is a tricky idea to put into words, but I wonder what the stupidest password in relation to the power of the information it protects is. I mean, is there someone quite high up in the FBI or CIA whose password is “football”?
    I hope so.

  8. pthree says:

    “9. trustno1″

    The fact that an X-files reference is in the top ten either makes me very happy or very sad.

  9. Mordicai says:

    I would be happy if I could just use emo-band sounding semi-sentences as my password.  “pa55w0rd” is not as good as “thestrangelonelinessofscarecrows” or whatever.

  10. daveistrad says:

    I don’t care what this list says; I’ll never stop using “monkey”.

  11. Jesseham says:

    Any Ashelys or Michaels out there want to explain themselves?

  12. CountZero says:

    I’ve just been given access to the admin system at work, and passwords have to be alphanumeric with caps, and they change every couple of months. Groan
    It’s bad enough with all the bloody passwords I have to try to remember, now I have another that keeps changing. Thing is, it’s in a completely secure environment that no ‘civilians’ have access to, and is completely firewalled.
    Oh well…

  13. Daniel says:

    So obviously, there’s this xkcd that’s relevant.  The problems:
    -remembering the order of a four-word arbitrary phrase is nearly impossible (for me at least, I know it’s technically only 2 bits but apparently my brain is not a Turing machine)
    -many systems cap max length of passwords (which is stupid if it’s anything less than, say, 32 character limit)
    -many systems require special chars, numbers, etc. anyway

    New strategy: use cryptic two-word phrases with repeating characters (try googling your phrase; if it’s the title of any article on wikipedia get a new phrase).  Only use character substitutions on repeating characters and, this is the real kicker, use both the original character AND the substitutions.  This guarantees that cracker substitution algorithms have to loop through each character trying each possible combination of originals and substitutions rendering the substitution strategy nearly useless.  A substitution algorithm that just naively subs out all of one type of character would never get your password.

    • Zenblend says:

      A sentence isn’t a very good idea either because there are plenty of dictionary-based cracking tools. The best password would be 20 odd characters of random digits, characters and symbols that don’t stand for anything or have any personal meaning. It’s just a matter of memorization.

    • Mark Langford says:

      I was going to link to that comic…

  14. yragentman says:

    many of these web login/passwords seem really pointless but so it goes.

    I started using a simple formula for fairly good security passwords that are unique to the service and easy to remember:

    Take the name of the service you are logging into  e.g. boingboing
    use the first and last n characters – typically 3
    insert a secret character sequence in the middle e.g. Yr666#, that is used for all passwords
    get boiYr666#ing

    or herYr666#tz
    or daiYr666#kos

    etc. etc.

    • Sam Archer says:

      I’ve been using a very similar strategy for the last few years and it works really well.  Each site ends up with a specific password (so if one is compromised, I don’t lose everything), but they’re all easy to remember.

    • kristen55 says:

      I switched to that style when Gawker handed out everyone’s passwords last year. At least now when there’s a breach everything isn’t impacted.

      • mccrum says:

        Except that it is.  If your supersecret boingboing password is boi$5497ng and your yahoo password is yah$5497oo, I think I’ll be able to guess what your hotmail one is and just run it out over amazon and paypal as well.

      • oasisob1 says:

        Actually, the breach DOES impact everything. The alert reader who gets your password for BB, say, ‘boiKR55ing’, then knows that banKR55ica is your BofA password.

  15. Warren_Terra says:

    I notice that “password” and “passw0rd” made the list. Thank heavens “p4ssword” and “pa55word” are still secure!

    Oh, and obligatory Youtube link to Spaceballs clip.

  16. kristen55 says:

    Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass. In that case it doesn’t matter how good your password was, all that matters is that it’s not your one and only password to unlock everything you do on the web.

    • Daniel says:

      Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass.

      Even when a whole database is lifted it helps if the users have bothered to use secure passwords (providing the database has been appropriately encrypted).  Passwords like “password” are bad exactly because they’re common allowing the use of rainbow tables to crack encrypted password databases. 

      In other words, using crappy passwords ruins security for everyone so don’t do it.

      Edit: hack -> crack. Let’s take it back.

  17. Shibi_SF says:

    I’ve recently been changing all of my passwords to 8+ digit/letter combos because of Gmail’s requirement for an 8 character password and I simply cannot keep all of my passwords in my head.  What really gets me are all of the requirements:  one capital one number one symbol no three characters repeating in a row….  my passwords end up looking like I fell asleep on the keyboard.  How can I remember my somnabulant password entry???

    • Shibi_SF says:

      ZOMG, I’m having password issue right now.  I was complaining about Gmail but I really meant Apple (as in Apple ID).   Great. I think I may have to go write my Apple ID on the back of my iPhone for future reference, as I can’t seem to remember the password from one use to the next. 

      Letmein was also a very good horror flick, in case you need more of a reason to use that password. 

  18. johnnyaction says:

    One password that doesn’t make it in the top ten lists because of it’s inherent uniqueness is the username.

    I’ve lost count how many email addresses passwords I’ve seen that were the username.

  19. Funny. I thought Letmein was some sort of German film reference. I googled it, then was floored that I was so dumb.

  20. cservant says:

    Thank goodness letmeinyouidiot is still safe!

  21. Jorpho says:

    What, no 789456123?


  22. Warren_Terra says:

    I don’t know gmail’s rules, but they accept passwords with more than eight characters. Maybe it’s an eight character minimum?

    I don’t know if its accurate regarding security of long simple passwords versus short complicated passwords, but the xkcd comic linked above offers useful advice for generating a memorable long password.

    Edit: was intended as response to Shibi_SF, but apparently typed in wrong box. And now Shibi_SF says they didn’t mean gmail anyway.

  23. etmthree says:


  24. hymenopterid says:

    This reminds me of that part in, “Surley You’re Jokind Mr. Feinman” when he guesses Nihls Bors’ safe combination.

    For some reason Feinman felt that Bohr would use a date for the combination so he just ran every date in the range of the last 30 years or so and got the combination pretty quickly.

    The moral of the story is *don’t use dates*, because there are less of them than you might think.

  25. Song lyrics and such are your friend. They can be used in one of two ways: “takealittlerideonthemixersface” if you need sheer length (great for 802.11 passphrases) or if you want mixed-case alphanumeric, “T4lR0tMf”. I suggest appending something site-specific to avoid password reuse, and there are a few different strategies for that. One is that you could have “T4lRotMfhf” for your BoingBoing password and “ T4lRotMfnq” for your HotMail password (“bb” and “hm” incremented by 6 and 4 characters).

    And as mentioned above, if both passwords are shown in the clear someone could figure out that pattern and thus deduce any of your other passwords that are based on the same scheme, but that’s a pretty rare and drastic scenario to be defending against, and therefore probably not worth the effort for most things. And even so, adding a single special character to denote high value passwords would protect against that while still not hampering memorability.

  26. Donald Petersen says:

    Wow… in what culture is “bailey” such an all-fired popular word?  I’d expect to find “swordfish” much, much higher up than that.

  27. Curtis Hart says:

    That’s amazing!  That’s the same combination as my luggage!

  28. rabidpotatochip says:

    You want a password that’s easy to remember but hard to guess?  Simple.  Take a word you like, like “password”, and pad it with a bunch of one character at a location of your choosing.  For example, “password0000000000″.  There, a long password that’s easy to remember but absolute hell to brute force.

    • Shibi_SF says:

      But some accounts like apple(?) restrict the use of repeating characters. They say: no three repeats in a row. ;(. Otherwise, I do like your idea and I would do that in a h34rtb34t!

  29. frank255 says:

    Surely 1234567 is worse than 12345678!?

  30. Guest says:

    I know someone who uses Superman (#22) as his iTunes password. He is actually quite a putz. 

  31. Switched telcos recently for a new landline/broadband bundle. Biggest telco in Australia. They created a new account for me… AND GAVE ME ONE OF THOSE “WORST PASSWORDS” AS MY INITIAL PASSWORD. (and yes, I changed it immediately)

    If the largest telco in Australia—even if you think of them as a small fish in a “big pond”, globally speaking—is using these passwords by default for new accounts, what’s the likelihood there’s more than a handful of their users out there still using them? And for those who take security a little more seriously… what hope is there for us?? o.O

  32. Bosco should be on the list.  As in, George Costanza’s PIN and delicious chocolate syrup.  Full disclosure: I’m not only a Bosco lover but also an owner.

  33. tyrsalvia says:

    With the prevalence of keyloggers, passwords simply aren’t very secure anymore. In my professional life, I work for a company that provides a b2b service. We have recently had to deal with a number of customers whose credentials were stolen after phished users unknowingly installed keyloggers on their work machines. Passwords are only as secure as your most credulous user.

    It’s all fine and good for us to do our best not to be that most credulous user, but when designing systems in the first place, it’s important to realize that those credulous users are out there. We can try to educate as much as possible, but that’s never going to be good enough to prevent someone from clicking a link to see some “wedding pictures” a supposed lost friend is sending them.

    With that in mind, passwords aren’t the last word in security. If we want to be secure, we have to use multiple strategies to verify users rather than depending on a single, easily-compromised strategy.

    • Shibi_SF says:

      I would really prefer a retinal scan or fingerprint scan… Something that doesn’t require me to remember so many multi-character alphanumeric passwords. Please tell me that retinal or fingerprint scans are coming soon!

  34. What’s going to replace passwords?

  35. Chris Lesage says:

    I suppose “batteryhorsestaple” should be added to this list now that xkcd ruined it.

  36. Ryan Lenethen says:

    I have come to one of three conclusions:
    1) People with the names: ashle, bailey, and  michael are stupid. Avoid at all costs.
    2) The method to which hackers acquire passwords may only break the stupid ones.
    3) Hackers probably share information, causing duplication, making statistical analysis stupid.

  37. Ray Harwick says:

    To create a password similar to this password:  meoadeoalleiakwei2wy

    1.  Take a phrase from *any* song, the more obscure the song, the better. Use the first letter of *each* word in that phrase.
    2. Any word in the phrase that sounds like 2, 4, 8 or 10 (to/two/too, four/fore, ate, tin) use the number(s) in place of the first letter.

    Mares Eat Oats And Does Eat Oats And Little Lambs Eat Ivy, A Kid Will Eat Ivy to (2) Wouldn’t You?
    (From: Mairzy doats by Kay Kyser) [Mairzy doats and dozy doats and liddle lamzy divey
    A kiddley divey too, wooden chew?]
    I did this with an original song my dad wrote that only my family knows. It’s pretty secure. I can type it as quickly as my own name: 22 letters and numbers. You will NEVER forget it. Impossible! Just don’t  go around your friend or strangers singing the song. LOL!

  38. Edna Garrett says:

    Using one basic password with some extra characters the represent the site works fine until some dildo site restricts me to 8 or 10 characters or forces me to use a capital letter and/or a symbol. Three random words strung together is more secure than p4ssworD! but security people for these sites don’t seem to realize this.

Leave a Reply