Home / Blogs / Business / Business Brains
Follow this blog:
RSS

Top 20 most common passwords of all time revealed: ‘123456,’ ‘princess,’ ‘qwerty’

By | January 21, 2010, 7:29 AM PST

Imperva released a list of the 20 most commonly used (and therefore worst) passwords, culled from a hacking incident that took place in December 2009 at RockYou.com, a photo-sharing and slideshow site. Reportedly, 32 million usernames and passwords were breached. (RockYou.com issued a statement indicating that it temporarily shut down its platform after the incident, and now employs encryption technology.)

Imperva posted a summary of the passwords, along with advice on how to create stronger passwords.

[UPDATE: Trustwave just published a list of the most commonly used passwords within enterprises -- which put many corporate systems at risk.]

[UPDATE: And here are the most commonly used passwords in the year 2011 -- a list which closely resembles the all-time list below!]

The most common passwords are as follows. Is yours among them?

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Ashley
  19. 654321
  20. Qwerty

It’s notable how many people apparently use their first names as passwords. Notice how also, in the case of no. 7, the password is simply the name of the site.

[UPDATE: In another study on passwords, a Microsoft researcher conducted a cost/benefit analysis of  efforts to encourage stronger passwords, and questions whether the costs of strong password management outweighs the benefits.]

For its part, Imperva observes that we have made precious little progress over the past two decades in improving passwords — long considered the Achilles heel of data security:

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks…  Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data.”

The greatest danger, Imperva points out, is that it wouldn’t take long for a hacker to break into a percentage of accounts using the weak passwords with a brute force attack. It’s simply a numbers game:

Citing NASA guidelines, Imperva recommends that all passwords be at least eight characters, and contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

Of course, context is important as well. For online banking, email accounts, Website administration access, and so forth, the stronger the password, the better. However, there are countless information sites — online journals, analyst firm sites, and so on, that require password access, and fumbling with a unique strong password every time you want to read a white paper is just plain annoying.

Accordingly, Imperva advises users to “choose a strong password for sites you care for the privacy of the information you store.”  If you’re concerned about being able to remember the code, here’s a little memory-jogging trick: “Take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’”

Imperva recommends that administrators enforce strong password policy, especially if sensitive data is on the line. Another word of advice: “Make sure passwords are not transmitted in clear text. Always use HTTPS on login.” Also password files should be encrypted before being stored in a database.

Also worth consideration: requiring passphrases instead of passwords. “Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.”

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

Joe McKendrick

About Joe McKendrick

Joe McKendrick is a contributing editor for SmartPlanet.

Joe McKendrick

Joe McKendrick

Contributing Editor, Business

Joe McKendrick is an independent analyst who tracks the impact of information technology on management and markets. He is the author of the SOA Manifesto and has written for Forbes, ZDNet and Database Trends & Applications. He holds a degree from Temple University. He is based in Pennsylvania.

Follow him on Twitter.

Joe McKendrick

Joe McKendrick

Joe McKendrick is an independent consultant and editor. Joe has performed project work for the following companies in the IT marketspace: IBM, Systinet/HP, Teradata. He has performed project work for the following organizations in partnership with Unisphere Research (Unisphere Media): IBM, Oracle Corp., International Oracle Users Group, Oracle Applications Users Group, Professional Association for SQL Server, International DB2 Users Group, International Sybase Users Group.

He writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
17
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
+2 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
The reason people still use weak passwords and the same passwords for all of their sites is because its too inconvenient to do otherwise. This is why solutions such as the one offered by Mitto (http://mitto.com) are useful...they make secure password management easy.

By using Mitto, you can create and manage strong different passwords for all of your websites, and log into them with ease from any computer. Because it's an online password solution, there is no software installation required. It's not that people don't want to be safe, or that security isn't a top priority. It's that the solutions that currently exist are too inconvenient for people.
Posted by sion.roy1977
21st Jan 2010
+1 Vote
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
" The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks?"

Talk about "grabbing the wrong end of the stick". People use short passwords because they are easy to remember and enter. I have a short password and I still mistype it. Couple that to the rotating password system that is recommended (replace your password after 6 months) and you are obviously going to pick a short easy to remember (and break) password.

Demand a 32 character password for your site and see how many people will bother to log-in!
Do you think that corrupt corporations would put up with it taking 10 minutes/day, for their workers to successfully log-in to their user accounts? A simple mechanical key & lock would be more effective!
How many people would use ATMs, if their PIN changed every 6 months?

lehnerus2000
Posted by lehnerus2000
22nd Jan 2010
0 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
Re: Mitto. And what if they get hacked? I have Keepass and it has made me lazy and forget my passwords! You can carry it with you on a flash drive.
Posted by Rodo1
24th Jan 2010
+3 Votes
+ -
hello can u help my
i cane not my password my MSN is enver_kuleta@live.de cane u send me thiss password mei MSN 2 is shpendi_blu@hotmail.com thanx
Posted by shpendi
24th Jan 2010
+2 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,
Yes, this is really terrrible. So weak passowrds. This is why I use
password management software Sticky Password
http://www.stickypassword.com.
Posted by mikin
25th Jan 2010
+2 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
It is getting tougher and tougher these days as we all join more and more password protected sites. As the article mentioned, some demand a much higher level of complexity while others are more run of the mill and don't reveal any important personal info.

I use a tool called roboform to manage my passwords - a free version can be found at http://yourpasswordtool.com - I have found it extremely helpful especially to keep track of the growing amounts of userids and passwords necessary as well as to remember the userid/password combos for sites that I visit on a seldom basis.

Good luck!

Nick
@nicktako
Posted by nicktako
26th Jan 2010
+2 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
Another good strategy is to figure out a password *formula* that has, say, something to do with a characteristic of the site. This allows for simple use of differing passwords for different sites. The formula can include all four character types ... if the site allows them. Sadly, some don't.

A major credit card provider actually limits passwords to a *maximum* of eight characters! They actually limit the strength of the password I can use!

What would be great is if *everyone* would allow using passwords of at least twelve characters (even more is better!) with all four character types eligible. Then, optionally, add a requirement that the password meet a minimum strength test. Let the user figure out how they want to arrange the password - so long as it passes the strength test. That would allow the use of short pass phrases and very complex passwords. They could be formulated in a way that would vary from site to site. And they could be remembered without the need for password software.
Posted by contrazz
26th Jan 2010
+2 Votes
+ -
The Evolution of Passwords
1. Early 90s. Used same password for everything. Never got hacked.

2. Late 90s. Handful of passwords written on a postit stuck to my monitor. Never got hacked.

3. Early 00s. Password hell. Proliferating, written on little scraps of paper, could never find the one I needed. Never got hacked.

4. Mid 00s. Password formulas, so that I can remember most passwords. But, I always hit "Remember password on this computer" which means that I'm often sunk if I try to access the site from a different computer. Never got hacked.

5. Current. Password hoops. With more sites requiring greater password complexity, I'm saying "screw this" more often and just never going back there again.
Posted by Mike Van Horn
26th Jan 2010
+1 Vote
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
Password Management Tools have a dual side, it can handle all your passwords very efficiently but you get lazy and forget passwords when your not using your PC. And what about if you don't have a backup of the BD? if you have a online password management tool, if it gets hack? you expose all your passwords, besides your need to get there first...

The best solution I have think and use so far is to have a password template (or formula as "contrazz" mentioned)that could be easy remembered that even could have a fixed characters and then the variable characters like this:

Tmeplate:
fixed_characters-differential_character-website_related_characters
Example:
hKmK760(smartplanet@2010;
DkTzQ$7605551515;for_me.

where the ")" character separates the fixed from the variable characters...

Just my two cents
Posted by heinrich.marco@...
26th Jan 2010
+2 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
I like the idea of template as suggested by Heinrich. In fact I am getting a feeling of 'Eureka'. It's so simple yet effective (why didn't it occur to me earlier).
Posted by rasin84
26th Jan 2010
+3 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
I agreed that those passwords are the most common passwords that most of the people use.
But I know why they are using those passwords happy
because some people forgot easily and they do not want to forgot their password every time they want to log in.
However, you shouldn't to use the password, 123456 or 654321. That's too simple and you deserve to get hacked for sure!!
So please mix some letters and some numbers in your password like "whatzup911" or something you want but remember "not too simple"

Best of Luck !!
Posted by watzup
23rd Oct 2010
0 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,
i accept for these serve
gooood day to you

Posted by shoukat ansari
30th Oct 2010
+3 Votes
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
I registered just to reply this

you guys are crazy with password tools. Can't you just pick a bunch of passwords and use them all around? Nobody will brute force your hotmail account with a password like Pass4Msn1. Why develop useless password or 10kilos of post-it? lol
Posted by USERamzis
30th Oct 2010
0 Votes
+ -
Password phrases can be terrible
Password phrases are great, BUT ONLY if you use something that nobody else will use. Otherwise it's not much better than 12345.
Example of a bad password based on a phrase:
OFwaihhbTn
Sure, it looks like a strong password, but it's just the first line of the Lord's Prayer. Since there are a billion or so Christians on the planet, this is an obvious phrase for hackers to target. Never, ever, should you use a phrase that is in common use as the basis for your password. That's just asking to get hacked. Don't use:
* Lines from popular songs (especially first lines)
* Lines from famous speeches (especially the opening lines)
* Any catch-phrase from popular culture
* Anything that would be useable by lots of people with only a small variation. Example: "I love my dog Barky" is terrible because the 26 variations of Ilmd? , where ? is a letter, will catch everyone with a dog (or a dad). Ilmc? will catch all the cat and child lovers; Ilmw? will catch all the wife lovers; Ilmh? will catch all the husband and horse lovers; etc.
* Any suggestion on web sites, unless there is sufficient personal information involved. For example, the password phrase "William Shakespeare is the greatest writer in history, except Tolkien" resulting in "WSitgwiheT", would have been a great password phrase if I hadn't just posted it here. Now it stinks, and anything similar to it stinks.

In summary, a password phrase is only secure if nobody else on the planet would have thought of it. That's not so easy as you might think.
Posted by dmm99
12th Nov 2010
+1 Vote
+ -
RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'
very interesting, but I will continue keeping my passwords like that...
Posted by awahid@...
18th Dec 2010
+1 Vote
+ -
[gasp] Mine is not listed
Just like 'USERamzis' I signed up to comment here.
I have had a free email from a well known provider and have used the same password since I registered it. It may have been in late 90s but both my username and password can be found in a high school level dictionary. Now if no hackers have yet to hack in that account, I feel safe with my 'new' current way of selecting passwords.
Now that said, if they did hack into my spam infested email and newsletter crap account, the best thing they will get is a good deal on a Rolez watch!
If your information is soooo important, why not use biometrics password scanner?
Posted by cln.lgr
25th May 2011
0 Votes
+ -
Strong passwords
A strong password you remember is better than a strong one that changes frequently, since you must write down the frequently changing password. We have that problem in Government, where the IT clowns keep dreaming up new solutions to problems we don't have. If you have a multitude of password-protected sites you use, there is a strong incentive to use the same one on all, even though the IT clowns say you shouldn't, but their very on rules encourage this, so what are we to do, go back to paper bills and snail mail? Those had problems also, but no one seems to remember that.
Posted by Starman35
5th Apr 2012
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

Where do you believe consumers are in their adoption of the cloud?

View Results

Blog Archive