"Worst passwords" of 2011

SplashData, a company that makes password management tools, has released a roundup of 2011's "25 worst passwords," gleaned from password-dumps posted by "hackers" (presumably, sources like the Lulzsec Sony password files). I can't locate the actual study and its methodology (are these passwords "worst" because they're the most common, or because they contain the least entropy? Is the sample set representative?) but the list is still informative, and, of course, it can give a warm glow of superiority to those of us with stronger passwords.

1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine 16. ashley 17. bailey 18. passw0rd 19. shadow 20. 123123 21. 654321 22. superman 23. qazwsx 24. michael 25. football

Passwords have been a recurring theme this year, and it's becoming increasingly clear (to me, at least), that passwords may be reaching their end-of-life on the Internet.

25 Worst Passwords of 2011 [STUDY]

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: passwords • security • web theory

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

nosehat

Maybe they were chosen as “worst” on aesthetic grounds.

“password” and “letmein” are both pretty bad groaners.
Lobster

I hope they figure out something better. I’m sick of corporations losing my passwords.
Zero Sonico

So this are the first 25 passwords we have to try when trying to get into someones account?
- http://twitter.com/LennStar_de LennStar
  
  Yes, 1. ist the most used password and so on.
  
  I like that 13. iloveyou
  14. master ^^
Glippiglop

The funniest entry here has to be qazwsx. I bet the people entering it must marvel at the simplicity of their super cryptic password.

I can’t quite figure out the popularity of monkey and dragon though…
- novium
  
  That, or it’s very easy to do. A lot of people at my office use variations of that- IT has it set up that we have to change our passwords every 4 weeks to something that hasn’t been used in the last six password changes.
  
  So you get a cycle of stuff like, oh, qazwsx followed by qazwsx123 followed by 123qazwsx so on and so forth.
  
  We’re just a small girl scout council. Especially in my department, we don’t have much that’s confidential or valuable or useful for non-Girl Scout purposes. Stupid passwords are more a result of security not really being a priority compared to just being able to get on to the computer in the morning with a minimum of fuss for those who haven’t yet had their coffee.
- Ryan Black
  
  It may derive from the Chinese zodiac and refer to the user’s birth year. Although I’m not sure why the years of the monkey and dragon would be represented more than the others…
http://twitter.com/Glenn_sccc Glenn Curry

And so many complain of password complexity in this day.
http://www.theblacklaser.net/ Joe The Wizard

I feel relieved that none of my passwords are on there.
http://twitter.com/CrnDffy CiaranD uffy

This is a tricky idea to put into words, but I wonder what the stupidest password in relation to the power of the information it protects is. I mean, is there someone quite high up in the FBI or CIA whose password is “football”?
I hope so.
pthree

“9. trustno1″

The fact that an X-files reference is in the top ten either makes me very happy or very sad.
- http://twitter.com/aesthette my name is aesthette
  
  So, so happy. trustno1 was my password for like ten years. Until I got hacked all over the place.
http://mordicai.livejournal.com Mordicai

I would be happy if I could just use emo-band sounding semi-sentences as my password. “pa55w0rd” is not as good as “thestrangelonelinessofscarecrows” or whatever.
- http://brykmantra.com checkersspeech
  
  So why can’t you?
  - mccrum
    
    Because more and more places are following these rules:
    https://supplier.intel.com/Auth/PasswordRules.asp
    Requiring at least one capital letter and one number. Hence, more bad passwords becoming “Password1″ or “P455w0rd”
  - http://mordicai.livejournal.com Mordicai
    
    Because most password systems these days yell at you to have a number &/or a symbol in it, along with multiple cap/lowercase tense.
- http://twitter.com/san_fran_sam Samuel Morse
  
  Actually, Mord “thestrangeloneliness….” is not such a bad PW. It’s easy for you to remember. but so long that no random testing of it will likely succeed.
  - http://mordicai.livejournal.com Mordicai
    
    …well right, that is my point. Having a program that yells at you to add a number or capital letter or symbol mess that up.
daveistrad

I don’t care what this list says; I’ll never stop using “monkey”.
http://illustratorhints.com/ Jesseham

Any Ashelys or Michaels out there want to explain themselves?
- mccrum
  
  Superman has a lot to explain as well, what a dumbass.
CountZero

I’ve just been given access to the admin system at work, and passwords have to be alphanumeric with caps, and they change every couple of months. Groan
It’s bad enough with all the bloody passwords I have to try to remember, now I have another that keeps changing. Thing is, it’s in a completely secure environment that no ‘civilians’ have access to, and is completely firewalled.
Oh well…
http://pulse.yahoo.com/_MLAKC2J76NFB64XLSLUKEHF4J4 Daniel

So obviously, there’s this xkcd that’s relevant. The problems:
-remembering the order of a four-word arbitrary phrase is nearly impossible (for me at least, I know it’s technically only 2 bits but apparently my brain is not a Turing machine)
-many systems cap max length of passwords (which is stupid if it’s anything less than, say, 32 character limit)
-many systems require special chars, numbers, etc. anyway

New strategy: use cryptic two-word phrases with repeating characters (try googling your phrase; if it’s the title of any article on wikipedia get a new phrase). Only use character substitutions on repeating characters and, this is the real kicker, use both the original character AND the substitutions. This guarantees that cracker substitution algorithms have to loop through each character trying each possible combination of originals and substitutions rendering the substitution strategy nearly useless. A substitution algorithm that just naively subs out all of one type of character would never get your password.
- Zenblend
  
  A sentence isn’t a very good idea either because there are plenty of dictionary-based cracking tools. The best password would be 20 odd characters of random digits, characters and symbols that don’t stand for anything or have any personal meaning. It’s just a matter of memorization.
  - http://pulse.yahoo.com/_MLAKC2J76NFB64XLSLUKEHF4J4 Daniel
    
    Yes, exactly. That’s why I advocate cryptic two-word phrases that are meaningless to everyone but you and character substitution schemes designed to frustrate character substitution algorithms.
    - mccrum
      
      monkeysuperman is actually not a bad password now that I think about it…
- Mark Langford
  
  I was going to link to that comic…
yragentman

many of these web login/passwords seem really pointless but so it goes.

I started using a simple formula for fairly good security passwords that are unique to the service and easy to remember:

Take the name of the service you are logging into e.g. boingboing
use the first and last n characters – typically 3
insert a secret character sequence in the middle e.g. Yr666#, that is used for all passwords
get boiYr666#ing

or herYr666#tz
or daiYr666#kos

etc. etc.
- http://profiles.google.com/greeneggsandsamuel Sam Archer
  
  I’ve been using a very similar strategy for the last few years and it works really well. Each site ends up with a specific password (so if one is compromised, I don’t lose everything), but they’re all easy to remember.
- kristen55
  
  I switched to that style when Gawker handed out everyone’s passwords last year. At least now when there’s a breach everything isn’t impacted.
  - mccrum
    
    Except that it is. If your supersecret boingboing password is boi$5497ng and your yahoo password is yah$5497oo, I think I’ll be able to guess what your hotmail one is and just run it out over amazon and paypal as well.
  - oasisob1
    
    Actually, the breach DOES impact everything. The alert reader who gets your password for BB, say, ‘boiKR55ing’, then knows that banKR55ica is your BofA password.
Warren_Terra

I notice that “password” and “passw0rd” made the list. Thank heavens “p4ssword” and “pa55word” are still secure!

Oh, and obligatory Youtube link to Spaceballs clip.
kristen55

Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass. In that case it doesn’t matter how good your password was, all that matters is that it’s not your one and only password to unlock everything you do on the web.
- http://pulse.yahoo.com/_MLAKC2J76NFB64XLSLUKEHF4J4 Daniel
  
  Of course, very few people have to worry about anyone taking the time and effort to ‘break’ a password. Most damage is done by passwords stolen en mass.
  
  Even when a whole database is lifted it helps if the users have bothered to use secure passwords (providing the database has been appropriately encrypted). Passwords like “password” are bad exactly because they’re common allowing the use of rainbow tables to crack encrypted password databases.
  
  In other words, using crappy passwords ruins security for everyone so don’t do it.
  
  Edit: hack -> crack. Let’s take it back.
Shibi_SF

I’ve recently been changing all of my passwords to 8+ digit/letter combos because of Gmail’s requirement for an 8 character password and I simply cannot keep all of my passwords in my head. What really gets me are all of the requirements: one capital one number one symbol no three characters repeating in a row…. my passwords end up looking like I fell asleep on the keyboard. How can I remember my somnabulant password entry???
- Shibi_SF
  
  ZOMG, I’m having password issue right now. I was complaining about Gmail but I really meant Apple (as in Apple ID). Great. I think I may have to go write my Apple ID on the back of my iPhone for future reference, as I can’t seem to remember the password from one use to the next.
  
  Letmein was also a very good horror flick, in case you need more of a reason to use that password.
  - bklynchris
    
    The original was fantastic!!!!!!
johnnyaction

One password that doesn’t make it in the top ten lists because of it’s inherent uniqueness is the username.

I’ve lost count how many email addresses passwords I’ve seen that were the username.
http://twitter.com/patrick_larson PatrickLarson.com

Funny. I thought Letmein was some sort of German film reference. I googled it, then was floored that I was so dumb.
cservant

Thank goodness letmeinyouidiot is still safe!
Jorpho

What, no 789456123?

Oops.
- http://twitter.com/CrnDffy CiaranD uffy
  
  Why would that be there? Who could possibly memorise such a long and totally random string of numbers?
Warren_Terra

I don’t know gmail’s rules, but they accept passwords with more than eight characters. Maybe it’s an eight character minimum?

I don’t know if its accurate regarding security of long simple passwords versus short complicated passwords, but the xkcd comic linked above offers useful advice for generating a memorable long password.

Edit: was intended as response to Shibi_SF, but apparently typed in wrong box. And now Shibi_SF says they didn’t mean gmail anyway.
etmthree

“joshua?”
hymenopterid

This reminds me of that part in, “Surley You’re Jokind Mr. Feinman” when he guesses Nihls Bors’ safe combination.

For some reason Feinman felt that Bohr would use a date for the combination so he just ran every date in the range of the last 30 years or so and got the combination pretty quickly.

The moral of the story is *don’t use dates*, because there are less of them than you might think.
http://boingboing.net/ The Life Of Bryan

Song lyrics and such are your friend. They can be used in one of two ways: “takealittlerideonthemixersface” if you need sheer length (great for 802.11 passphrases) or if you want mixed-case alphanumeric, “T4lR0tMf”. I suggest appending something site-specific to avoid password reuse, and there are a few different strategies for that. One is that you could have “T4lRotMfhf” for your BoingBoing password and “ T4lRotMfnq” for your HotMail password (“bb” and “hm” incremented by 6 and 4 characters).

And as mentioned above, if both passwords are shown in the clear someone could figure out that pattern and thus deduce any of your other passwords that are based on the same scheme, but that’s a pretty rare and drastic scenario to be defending against, and therefore probably not worth the effort for most things. And even so, adding a single special character to denote high value passwords would protect against that while still not hampering memorability.
- http://pulse.yahoo.com/_MLAKC2J76NFB64XLSLUKEHF4J4 Daniel
  
  I used to do that too, but now I try to discourage the use of song titles, lyrics, and musical acts. Again, if your password is the title of an article on wikipedia, it is not a good password.
  - http://boingboing.net/ The Life Of Bryan
    
    I don’t use actual titles, just chunks of lyrics. And for that very reason. But that’s a pretty good rule of thumb.
Donald Petersen

Wow… in what culture is “bailey” such an all-fired popular word? I’d expect to find “swordfish” much, much higher up than that.
http://www.facebook.com/profile.php?id=1208613906 Curtis Hart

That’s amazing! That’s the same combination as my luggage!
rabidpotatochip

You want a password that’s easy to remember but hard to guess? Simple. Take a word you like, like “password”, and pad it with a bunch of one character at a location of your choosing. For example, “password0000000000″. There, a long password that’s easy to remember but absolute hell to brute force.
- Shibi_SF
  
  But some accounts like apple(?) restrict the use of repeating characters. They say: no three repeats in a row. ;(. Otherwise, I do like your idea and I would do that in a h34rtb34t!
  - mccrum
    
    I imagine the next best thing would be “pppaaassworrrddd”
frank255

Surely 1234567 is worse than 12345678!?
Guest

I know someone who uses Superman (#22) as his iTunes password. He is actually quite a putz.
http://twitter.com/XanderPlooy ʎoolԀ ɹəpuɐχ ツ 

Switched telcos recently for a new landline/broadband bundle. Biggest telco in Australia. They created a new account for me… AND GAVE ME ONE OF THOSE “WORST PASSWORDS” AS MY INITIAL PASSWORD. (and yes, I changed it immediately)

If the largest telco in Australia—even if you think of them as a small fish in a “big pond”, globally speaking—is using these passwords by default for new accounts, what’s the likelihood there’s more than a handful of their users out there still using them? And for those who take security a little more seriously… what hope is there for us?? o.O
http://shelftalk.net/ Scott Sanders

Bosco should be on the list. As in, George Costanza’s PIN and delicious chocolate syrup. Full disclosure: I’m not only a Bosco lover but also an owner.
tyrsalvia

With the prevalence of keyloggers, passwords simply aren’t very secure anymore. In my professional life, I work for a company that provides a b2b service. We have recently had to deal with a number of customers whose credentials were stolen after phished users unknowingly installed keyloggers on their work machines. Passwords are only as secure as your most credulous user.

It’s all fine and good for us to do our best not to be that most credulous user, but when designing systems in the first place, it’s important to realize that those credulous users are out there. We can try to educate as much as possible, but that’s never going to be good enough to prevent someone from clicking a link to see some “wedding pictures” a supposed lost friend is sending them.

With that in mind, passwords aren’t the last word in security. If we want to be secure, we have to use multiple strategies to verify users rather than depending on a single, easily-compromised strategy.
- Shibi_SF
  
  I would really prefer a retinal scan or fingerprint scan… Something that doesn’t require me to remember so many multi-character alphanumeric passwords. Please tell me that retinal or fingerprint scans are coming soon!
http://twitter.com/spaceyslater spacey slater

What’s going to replace passwords?
- Lobster
  
  Biometrics keeps getting cheaper, and it’s hard to fake a fingerprint or a retina. Of course then instead of password thefts we have mutilations.
  - mccrum
    
    Sure, but at least then you’d know pretty quickly you’d been hacked.
    - Shibi_SF
      
      I see what you said there.
Chris Lesage

I suppose “batteryhorsestaple” should be added to this list now that xkcd ruined it.
Ryan Lenethen

I have come to one of three conclusions:
1) People with the names: ashle, bailey, and michael are stupid. Avoid at all costs.
2) The method to which hackers acquire passwords may only break the stupid ones.
3) Hackers probably share information, causing duplication, making statistical analysis stupid.
http://www.facebook.com/people/Ray-Harwick/100000186465870 Ray Harwick

To create a password similar to this password: meoadeoalleiakwei2wy

1. Take a phrase from *any* song, the more obscure the song, the better. Use the first letter of *each* word in that phrase.
2. Any word in the phrase that sounds like 2, 4, 8 or 10 (to/two/too, four/fore, ate, tin) use the number(s) in place of the first letter.

Mares Eat Oats And Does Eat Oats And Little Lambs Eat Ivy, A Kid Will Eat Ivy to (2) Wouldn’t You?
(From: Mairzy doats by Kay Kyser) [Mairzy doats and dozy doats and liddle lamzy divey
A kiddley divey too, wooden chew?]
I did this with an original song my dad wrote that only my family knows. It’s pretty secure. I can type it as quickly as my own name: 22 letters and numbers. You will NEVER forget it. Impossible! Just don’t go around your friend or strangers singing the song. LOL!
http://twitter.com/ednagarrett Edna Garrett

Using one basic password with some extra characters the represent the site works fine until some dildo site restricts me to 8 or 10 characters or forces me to use a capital letter and/or a symbol. Three random words strung together is more secure than p4ssworD! but security people for these sites don’t seem to realize this.