Home / Blogs / Business / Business Brains
Follow this blog:
RSS

The 25 worst passwords of 2011: ‘password,’ ‘123456′

By | November 18, 2011, 9:54 PM PST

In spite of a constant drumbeat of news about hacking and cracking computer accounts, users still are employing extremely common and obvious phrases as passwords.  A compilation of the most commonly used — and potentially most insecure — passwords seen over the past year was recently drawn up by Splashdata and reported in Mashable. Splashdata found that incredibly enough, the leading password in use today is the word “password.” Interestingly, number 4 on the list, the keyboard lineup of “qwerty,” is counterbalanced by item number 23, “qazwsx,” which is the first three rows of keys typed vertically.

[UPDATE: Trustwave just published a list of the most commonly used passwords within enterprises -- which put many corporate systems at risk.]

Splashdata’s 2011 list closely parallels that developed close to two years ago by Imperva, showing that these terms never go out of vogue.

Here is this year’s list:

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

SmartPlanet colleague Tuan C. Nguyen provides a surprisingly simple technique for deriving a strong password that makes it difficult for hacking programs to arrive at the right brute force combination — employing a symbol in combination with an upper-case and lower-case letter.

Not everyone thinks that strong passwords are the answer, however. In another study on passwords, a Microsoft researcher conducted a cost/benefit analysis of  efforts to encourage stronger passwords, and questions whether the costs of strong password management outweighs the benefits.

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

Joe McKendrick

About Joe McKendrick

Joe McKendrick is a contributing editor for SmartPlanet.

Joe McKendrick

Joe McKendrick

Contributing Editor, Business

Joe McKendrick is an independent analyst who tracks the impact of information technology on management and markets. He is the author of the SOA Manifesto and has written for Forbes, ZDNet and Database Trends & Applications. He holds a degree from Temple University. He is based in Pennsylvania.

Follow him on Twitter.

Joe McKendrick

Joe McKendrick

Joe McKendrick is an independent consultant and editor. Joe has performed project work for the following companies in the IT marketspace: IBM, Systinet/HP, Teradata. He has performed project work for the following organizations in partnership with Unisphere Research (Unisphere Media): IBM, Oracle Corp., International Oracle Users Group, Oracle Applications Users Group, Professional Association for SQL Server, International DB2 Users Group, International Sybase Users Group.

He writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
25
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
+3 Votes
+ -
Password Conumdrum
The problem with modern computing is the need for multiple passwords for different things. On one hand, a strong password that consists of upper and lower case and numbers and special characters can be difficult to remember. On the other hand the simple passwords are a compromise with security.

I can admit to using some lame passwords but I do that for the "Free" accounts that don't have any personal data and no information of value to most hackers. I am conscious of keeping passwords unique between financial accounts and business accounts. The problem with having so many passwords is that I keep them in a list so that I can keep current on my passwords.
Posted by sboverie
21st Nov 2011
+5 Votes
+ -
Password Policy
Unfortunately, System Adminsitrors make the situation worse by requiring password changes ever 30-90 days. This aggravates users into keeping their passwords in a text file or writing them down or using weak passwords... today it's Password1, tomorrow it wil be Password2.

If you have trouble remembering multiple strong passwords, there are plenty of good password safes out there.
Posted by bb_apptix
22nd Nov 2011
+1 Vote
+ -
password safe
Where do you write the combination, so you don't forget it?
Posted by MorrisPatman
22nd Nov 2011
+1 Vote
+ -
Pw list
I noticed pw no 24 'michael' --- are there so many people named michael???
Posted by Mafig
22nd Nov 2011
+2 Votes
+ -
Re: Pw list
No, but I heard of a Michael Jackson that died this year! wink
Posted by daviddag
23rd Nov 2011
+1 Vote
+ -
michael popularity
Actually there ARE so many people named michael. That name has been in the top 10 or top 5 US baby name list for the past n decades. (n .GT. 6). Not sure about other countries. I pay people not to name their kid Michael. happy
Posted by mike.codding@...
Updated - 23rd Nov 2011
-5 Votes
+ -
Passwords must be enforced
90% of the worlds spam is due to weak passwords from exploited email accounts.

If you are hired to do a job, then do it right and be an ADULT taking responsibility for your OWN actions. Meaning, for PCI compliance a company can be fined in the tens of thousands of dollars with desk with passwords stuck all over monitors.

When you took the job, did you tell them I cannot meet the Company requirements???

Good grief, the entire country wants to be coddled like a 2 year old.

If you cannot handle changing your password then QUIT by all means, there are THOUSANDS who would jump at the opportunity with unemployment at 10%-20%+ in the majority of the country.
Posted by open_source_user_01
Updated - 22nd Nov 2011
+3 Votes
+ -
Yes, but
How does having my work password on a sticky on my monitor contribute to spam?

Not that I do this, but I do wonder.

And yes, changing my password every 60 or 90 days is part of having my job. Doesn't mean I have to like it. What are we not allowed to complain about work now? I have to quit my job because I want to vent about it?
Posted by KerrieG
23rd Nov 2011
+3 Votes
+ -
Utterly unhelpful
Your attitude is part of the problem, not part of the solution.

Human beings, regardless of whether they're adults or not, are terrible at remembering complex changing patterns. It's part of the way that human brains work. If you want a human to remember a complex pattern (good password), the complex pattern must not change frequently. If you want to them to remember a pattern that changes frequently, it must not be complex. If you require them to remember a complex pattern that does change frequently, they're going to require some non-wetware storage to supplement their memory.

There are no other options, that's biology and neurochemistry at work, and railing that people "ought to be adults" does nothing to change it. If you want to improve security, stop acting like your hobby-horse has stilts, and work with the mental systems that real users have. Doing otherwise does nothing but demonstrate that you value the noise you make while proclaiming your moral superiority, over actually doing anything productive for the field.

From the trenches,
Will Ray
Posted by willray
23rd Nov 2011
+2 Votes
+ -
Who knew?
Hey, I didn't realize the password I use for all my foreign bank accounts was so common! I wonder if using "Smith" for my mother's maiden name was a bad idea too.
Posted by nielsnielsen
22nd Nov 2011
+2 Votes
+ -
I would have thought
a Nielsen would be smarter than that... wink
Posted by NickNielsen
22nd Nov 2011
+3 Votes
+ -
"Secret" Message in this List?
Letmein
Iloveyou
Ashley
Bailey
,
Michael

happy
Posted by clifbean
22nd Nov 2011
+3 Votes
+ -
Oh, it gets worse...
I work in a Christian Non-Profit...I cringe when I find out that someone's password is "Jesus", "Holy Spirit" or some derivation of scripture...even though I HAVE been known to use koine Greek words myself, or complex words like "Propitiation", which most folks wouldn't know how to spell. I think that it speaks to the point though...I know, or could figure out, what someone's favorite scripture, biblical person or concept might be through less than sneaky social engineering, so the importance of less than meaningful passwords becomes very important.
Posted by ReadWryt (error)
22nd Nov 2011
+2 Votes
+ -
Birthday
What about the birthday password, like 12251980 or 07041776. That's common too.
Posted by Suresh Mukhi
22nd Nov 2011
+1 Vote
+ -
similar problem
A few years ago the pick 4 lottery number was 5555 and thousands of people thought they had won a big payout, but they had to share it and each winner got a few dollars.
Posted by jimrhenow@...
22nd Nov 2011
+7 Votes
+ -
Worst but useful Password
One of the worst but useful password is "INCORRECT". It is useful because when you forgot this password and typed in a different one, the PC will tell you right away what your password is by popping out a message "YOUR PASSWORD IS INCORRECT." So you will instantly remember your password. happy
Posted by kmellon
22nd Nov 2011
+1 Vote
+ -
Comment of the day ...
goes to kmellon!

Thanks for the morning laugh.
Posted by threepets3
23rd Nov 2011
+1 Vote
+ -
Strong Passwords!
One client I worked for required passwords 8 to 9 characters including upper case, lower case, numbers and embedded special characters. Passwords could not contain words in the English dictionary and they were considering adding Spanish. Further, passwords automatically expired in 30 days and a passwod could not be repeated for at least 5 cycles.

Worse still, no position in a password could contain the same character as contained in any previous 5 passwords! Passwords had to be compatible with domains and mainframes.

The biggest single problem with complicated passwords is the very strong tendency to write them down somewhere. Sticky note on the monitor????
Posted by glennhansen2@...
22nd Nov 2011
0 Votes
+ -
Why did you do this to me???
Now I have to change all my passwords!
Posted by psidre
23rd Nov 2011
+4 Votes
+ -
worst password
The list is good, but omits a true winner:
admin
Posted by daniele@...
23rd Nov 2011
0 Votes
+ -
Unenforceable password rules??
How do sysadmins enforce a rule that prohibits replacing the strong password [strongpassword]1Q11 with [strongpassword]2Q11, and so on?
Posted by dmm99
23rd Nov 2011
+2 Votes
+ -
Simple...
They check for the number of chars that have changed from the old password to the new one!
Posted by jwcarlisle
23rd Nov 2011
+1 Vote
+ -
xkcd weighed in. Forget symbols!
http://xkcd.com/936/ correcthorsebatterystaple
with an explanation of entropy and how it affects password cracking and memorization.
Posted by genewitch
23rd Nov 2011
+2 Votes
+ -
Password
I use curse words.
Strong ones.
Posted by juu@...
23rd Nov 2011
-1 Votes
+ -
lulz
Tuan doesn't seem to really grasp the underlying metric of what he's talking about, even if he's correct in the one given example. In this case one could actually argue his "stronger" example's attack surface is smaller, but we won't go there. "Strength" is also variable by the attack method being used to derive the password; should they use a brute force method that tries a range and iterates all possibilities from first to last, it falls apart. The equation for stronger passwords is simple:

More entropy across the range of the password and the array of valid characters = stronger password.

That's the message he conveys tangentially, but not clearly. The best possible way to allow for strong passwords is to not make your valid password criteria public and randomly update passwords on a frequent schedule. see: RSA.
Posted by Ternarybit
24th Nov 2011
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

Where do you believe consumers are in their adoption of the cloud?

View Results

Blog Archive