Business Brains

Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

Posting in Government

The worst, weakest and most common passwords ever have been revealed in a new study, drawing from an exposed list from a recent hacking incident. Is it time for businesses to consider the passphrase?

Imperva released a list of the 20 most commonly used (and therefore worst) passwords, culled from a hacking incident that took place in December 2009 at RockYou.com, a photo-sharing and slideshow site. Reportedly, 32 million usernames and passwords were breached. (RockYou.com issued a statement indicating that it temporarily shut down its platform after the incident, and now employs encryption technology.)

Imperva posted a summary of the passwords, along with advice on how to create stronger passwords.

[UPDATE: Trustwave just published a list of the most commonly used passwords within enterprises -- which put many corporate systems at risk.]

[UPDATE: And here are the most commonly used passwords in the year 2011 -- a list which closely resembles the all-time list below!]

The most common passwords are as follows. Is yours among them?

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Ashley
  19. 654321
  20. Qwerty

It's notable how many people apparently use their first names as passwords. Notice how also, in the case of no. 7, the password is simply the name of the site.

[UPDATE: In another study on passwords, a Microsoft researcher conducted a cost/benefit analysis of  efforts to encourage stronger passwords, and questions whether the costs of strong password management outweighs the benefits.]

For its part, Imperva observes that we have made precious little progress over the past two decades in improving passwords -- long considered the Achilles heel of data security:

"The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks...  Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data."

The greatest danger, Imperva points out, is that it wouldn't take long for a hacker to break into a percentage of accounts using the weak passwords with a brute force attack. It's simply a numbers game:

Citing NASA guidelines, Imperva recommends that all passwords be at least eight characters, and contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.

Of course, context is important as well. For online banking, email accounts, Website administration access, and so forth, the stronger the password, the better. However, there are countless information sites -- online journals, analyst firm sites, and so on, that require password access, and fumbling with a unique strong password every time you want to read a white paper is just plain annoying.

Accordingly, Imperva advises users to "choose a strong password for sites you care for the privacy of the information you store."  If you're concerned about being able to remember the code, here's a little memory-jogging trick: "Take a sentence and turn it into a password. Something like 'This little piggy went to market' might become 'tlpWENT2m.'"

Imperva recommends that administrators enforce strong password policy, especially if sensitive data is on the line. Another word of advice: "Make sure passwords are not transmitted in clear text. Always use HTTPS on login." Also password files should be encrypted before being stored in a database.

Also worth consideration: requiring passphrases instead of passwords. "Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break."

Share this

Joe McKendrick

Contributing Editor

Joe McKendrick is an independent analyst who tracks the impact of information technology on management and markets. He is a co-author of the SOA Manifesto and has written for Forbes, ZDNet and Database Trends & Applications. He holds a degree from Temple University. He is based in Pennsylvania. Follow him on Twitter. Disclosure