Home / Blogs / Technology / Thinking Tech
Follow this blog:
RSS

How to avoid the “500 worst passwords of all time”

By | July 29, 2009, 6:58 AM PDT

We all have lots of Internet passwords and about half of them are not difficult to guess. Just take a look at the “500 worst passwords of all time.”

A strong password should be two things: easily recalled by its owner and difficult to guess by someone who doesn’t know it. So even non-hackers can guess a few on the worst list.

“123456″ is number one followed by you guessed it, “password.” Some on the list are intriguing. Number 496 is a “mistress” although I don’t know if the owners lean toward kept women or men who wished they had one. Many are profane with a hint of anger and impulsiveness suggesting people don’t want to bother with passwords. Some are plays on words like “letmein.” Number 486 is a seemingly cryptic letter string “abgrtyu” and still made the list.

The list comes from the book “Perfect Password: Selecttion, Protection, Authentication” published in 2005. While the list would appear outdated, it still gets considerable attention because it’s unique.

One out of nine passwords used is on the list and about 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to the book’s teaser on Amazon. Just ask Sarah Palin whose email was hacked last September by someone who reset her password using her zipcode, birthdate and where she met her spouse. When asked where she went to high school, the hacker entered  “Wasilla High” and was right. Such is the price of celebrity and people knowing a lot about you.

Passwords are a challenge. Like you, I often want quick access to a site and view the password as an obstacle deserving little attention. However, I can proudly say no password I have ever used is on the worst list.

In a recent discussion with fellow bloggers, one said he keeps passwords only in his head. He never writes them down ANYWHERE. I have far too many for that and lack the photographic mind he must have. He also avoids passwords hints such as a boyhood dog or mother’s maiden name given what happened to Palin.

Another swears by password manager Roboform which can be downloaded for $35. I may try this given good reviews and because I don’t feel secure with my current password strategy if you can call it that. I am constantly looking them up and must have about 30 of them. I also have used meebo with some success as a single logon/password to multiple instant messaging accounts. I tried something called a secure login named vidoop, but it was too good: it didn’t let me into anything.

There’s plenty of advice on how to create a good password such as Microsoft’s six-steps to creating “a strong, memorable password. Some of the advice is obvious, but worth repeating.

– Use a mix of symbols, characters and numbers. Use spaces if allowed.

– If you can’t use symbols, double the number of characters.

– Think of a memorable sentence and take the first letter of each word and combine into a password.

– Use a password checker to test its strength.

Follow me on Twitter.

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

John Dodge

About John Dodge

John Dodge was a contributing editor for SmartPlanet from 2009 to 2010.

John Dodge

John Dodge

Contributing Editor, Technology

John Dodge has written for the Wall Street Journal, Boston Globe, PC Week (now eWeek), EDN, Design News, Electronic Business, Bio-IT World, Health-IT World, Lowell Sun, Haverhill Gazette and Newburyport Daily News. He is based in Massachusetts.

Follow him on Twitter.

John Dodge

John Dodge

John Dodge prides himself on completely independent journalism. His opinions, observations and reporting are not influenced by any financial holdings. He holds no shares in computer, electronics, software or Internet companies. He also has no business affiliations with organizations except with those for which he creates content as a freelancer.

He writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
42
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
+7 Votes
+ -
Keeping Passwords
I have about 50 passwords and some need to be changed as ofter as once a month. Several need to be 12 characters of varies forms. There is no way to keep that all in my head. In desperation I looked at many password programs. More than 20.

Roboform has my vote. I've used it for about a year now. It has secure notes for those passwords and ID's that are not able to be saved automatically like some bank sites. It has never failed me. Well worth the money. As an added benefit it fills in web forms at a single click. I wouldn't be without it now. I even own the portable USB version. I buy the licenses as gifts because I find it so useful.
Posted by PatrickFW
29th Jul 2009
+4 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
Patrick,

Thanks for the note and info. Roboform is what I am considering. Seems worth the money...J
Posted by John Dodge
29th Jul 2009
+5 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
I can say that none of my 66 current passwords nor any of the 53 retired one are on the list. Some are close, but only a part of the actual password. I do have some relatively simple passwords/PIN #'s I have been changing some to more complex ones or ones that can't be figured out immediately--such as Sarah Palin's were.. If I have a city name, it will part of my former address, etc. License plate numbers are used or variations on them, such as adding the state name, especially if you no longer live there.
I use a Password protected Excel Spreadsheet, it doesn't populate any webforms, but is free and easy to use.
Posted by dhays
30th Jul 2009
+1 Vote
+ -
Excel easy to hack
Just an FYI dhays. Don't make the mistake of thinking your Excel spreadsheets are protected when you use a password. Look up "Advanced Office Password Recovery Pro"...
Posted by Jeffp77
17th Jun
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
One of my favorite methods is one of several vulgarisms in German, Spanish or Italian. It's easy to remember, and when the capitalization is off by a couple of characters, it's difficult to crack.
Posted by blacksmith@...
30th Jul 2009
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
Your Sarah Palin example doesn't work. It wasn't the strength of the password used, it was Yahoo's crazy password reset process. No website should make it so easy to access that information.
Posted by HarryBeard
30th Jul 2009
+3 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
Roboform may well be great. But I'm a tightwad. I use the free KeePass and it works very well for me.
Posted by Olden D. Kreppit
30th Jul 2009
+5 Votes
+ -
1Password for MacOS X
I originally used Gator until it became annoyingware, then switched to
RoboForm, however, there's no RoboForm for Mac, so I was pretty
happy when 1Password for MacOS X arrived.
Posted by techrepublic@...
30th Jul 2009
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
I looked at the list of PWs and I thought that 1q2w3e4r5t6y would have made it up there. But oh well.


But going on how to avoid passwords. Try to think of the two most random things and stick them together.

EX: tvtree, windowbag, phonestick, etc

Also another thing is to add random #s and Caps inside of it.

EX: TvtReE, wiNd0WBag, pH0NEsT1ck, etc

One more things is to spell them in a different way.

EX: tveetrie, whinndoowbaag, foonstiic, etc

So all together and you got a hard password.
Posted by HungMob
30th Jul 2009
+3 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
30 passwords? 50 passwords? monthly changes? Independently from my different 'identities/user names' (yahoo!, google, msn, work, ...), I have only 3 different passwords. The 1st one is 'private-private': personal email, amazon, paypal, banks. The 2nd one is 'private-professional': it is used on my company's network, and can be reset by the network administrator. Le last one is 'default public password', very useful for all these sites where subscription is mandatory. I woudl give the 3rd one to everybody close to me, from my children to my assistant. The second one does not need to be given to anybody, as it can be reset. The 1st one is written down on a piece of paper, sealed in an envelop, to be open after I am dead ...
Posted by pgrondier
30th Jul 2009
+4 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
I just came up with an algorhythm that utilizes the name of the website requiring a password. For example, for this site, I'd use smartxxx99, where the xxx99 is the same for every website. For CBS.com, the password would be cbsxxx99. I just don't share the xxx99 with anyone so it is easy to remember 100's of passwords without having to pay for software like Roboform.
Posted by MarkH1981
30th Jul 2009
-1 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
I can't believe they forgot "iamgod"

every sysadmin knows that one...
Posted by dave_helmut
30th Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Roboform may be very good; I wouldn't know as I have never tried it, but I suggest you do consider the free and open source password manager KeePass Password Safe. I use it to manage dozens of passwords: http://keepass.info/
and have found it to be excellent.
"What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. " BRgds, Peter
Posted by PeterPilot
30th Jul 2009
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
I always use an easy to remember sentence, then substitute numbers for one set of the letters.

I might sub 1 for all the "I"s, 0 of "O", 5 of "S" and similar. I like working the word "ate" into it, subbing the singular 8 for the whole word.

I write the sentences out as you would normally, including punctuation. This helps people remember where any capital letters are, at the start and in any proper nouns.

Examples:

Y0u f0rg0t the passw0rd already!?

Who 8 all the 1cecream?

Plea5e don't abu5e thi5 5erver.

If spaces are not allowed I simply eliminate them.

I've yet to have anyone forget their password/phrase. Most of them are wireless keys btw. I'll make a much shorter statement for windows user passwords, for eg:

B0nny r0ck5!

If you make the phrase appropriate to the user (or deployment) you don't have to write it down, just the nature of the substitution(s) o - 0, s - 5 for to above example.
Posted by pgit
31st Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
One system admin I knew was into trivia. He liked to use passwords that reminded him of things. Such as 56HDW63 being the years rein of some famous person.

Something I do (Im also a system admin) is keep lists. But even my lists, or password manager programs, dont actually list the password itself. On some sites involving giving them an account of credit card it will say "money" which is NOT the password but only a reminder that I used my really hard to figure out money password there. On other sites that I happen across and am not sure I will ever come back to.it will say "password" which is NOT the password but will tell me I used my junky default password there. No offense but this site was one of those and I was real surprised that I was able to login. happy

ANY storage list of passwords is still keeping a list where it can be snagged from you. I would recommend using this trick to remind yourself without actually writing the password.

OH and on those security questions, I have complete sets of answers that I use which do not match my real answers.
Posted by GP1628
31st Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
A very good and FREE {open source} solution is keepass, It allows for storage and creation of passwords and many bits long as you need, Key generation is customizable as well. Its all stored in a very secure database. You set the size type of encryption etc.They have versions for every major OS including black berry, windows Mobil and many others. The new version allows for you to host the file on a secure site and divvy out access to it. You ca use a password, a key file or both to get in. One of the nifty features is the auto type feature and a scripting feature. It allows for password entry as well as many other tasks to be recorded or scripted. So easy a cave man could do it. happy
Posted by heroshima
31st Jul 2009
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
Great article, John.

I use LastPass plugin for Firefox to remember my hundreds of passwords. As far as creating passwords, I've written several articles on the topic. One good method is simply to come up with a meaningful phrase and then convert it a string of characters. Here?s one: I drive 33 miles round-trip each day. (Notice I included numbers and a dash.) That could become id33mr-ted. Make some of the characters uppercase: iD3#mR-TeD (I made every other character uppercase ? easy to remember). You get the idea.

You can check out one of my main articles "How to Write Down Your Passwords and Not Worry About Anyone Stealing Them" at http://bit.ly/106ha9 .
Posted by kenharthun
31st Jul 2009
+1 Vote
+ -
"passwords are teh suck"
Security in its current forms is inherently user unfriendly, and as such, will be
implemented badly by most people. Passwords and secrecy in general are direct
reactions to conflict and anonymity. If anonymity can be lessened and the incentive for
attack can be removed - friendlier forms of gatekeeping can finally be utilized.
Posted by Hobyx
31st Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I can't get to the 500 items.
The server times out.
dmaesc
Posted by michel@...
31st Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Yep everyone wants to know if their password is on the list. I couldn't get in either.

I've used PasswordWiz and was happy with it, but it doesn't work on several of the new sites using Flash. I've not counted my passwords but it long ago surpassed the century mark so I need help and want the convenience of a pw manger. Some have suggested "systems" which work as long as no one wants to crack them. The most secure is random character sets and the longer the better.

Having managed the admins for some very large secure networks I've been amazed at the nonchalant use of passwords by top management as well as admins. As a consultant I've entered systems simply by extending the systematic password patterns given to users.

On top secret sites we have used external key generators, but that is more than most people want to use. The best thing about passwords is that it keeps nosey people out of your space.

Posted by rblough@...
31st Jul 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I disagree with the author if by saying a good password is "easily
recalled by its owner" he means "easily remembered". A good (i.e.,
"strong") password should be a random string of upper and lowercase
letters, numbers, symbols, and punctuation marks. Most people can't
remember multiple such passwords. But there are tools that can help
them, such as desktop password software (1Password, Keepass,
PasswordSafe, SignUpShield, Roboform, etc.), USB password drives
(IronKey, ID Vault, etc.), and standalone devices (Atek Logio Secure
Password Organizer, Mandylion, etc.). If by "easily recalled" the author
meant by the use of a tool such as these, then I agree...of course.
Posted by Techhasitslimits
31st Jul 2009
+1 Vote
+ -
Proof-reading would be nice
I wouldn't mind the occasional grammatical, orthographical, lexical or other mistakes, but 6.5 in such a short article tops it. I'm not a native speaker, but would say my English is good enough to spot these. A bit more journalistic care would be good. Elsewhere I saw those it's/its, their/they're again...

[ ] meaning that was missing, { } meaning that was too much.

1) Number 496 is a ?mistress? although I don?t [know] if the owners...
2) ...about 50% of passwords are passwords [that] are ?based on names of a family member...
3) I have far to[o] many for that..
4) He also avoid passwords hints such as boyhood dog...
5) I tried {a} something called a secure login called vidoop... -- nice doubling up
6) Some of the advice is {is} obvious, but worth repeating.

I said 6.5 mistakes above, because I'm not 100% sure about this one:
6.5) ...although I don?t if the owners lean toward kept women or...
Posted by invenio
2nd Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Invenio,

I believed ALL the dropped words and typos are fixed....fixed them several days ago.

--JD
Posted by John Dodge
5th Aug 2009
-1 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
Sounds like overheated paranoia to me
Posted by poyeezed
6th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I have used AnyPass Pro for several years for all my contact info: passwords, telephone numbers, etc. I have [probably] 150 passwords. The software can be password protected, so I feel reasonably safe. In addition to my computer, the software can be run on a flash drive without any special tricks needed.

For a password, I usually use two words with a numeral between them, and I change every password annually - as I encounter it after the new year. I usually use a string of 7-9 characters in a password. Sometimes, I use the "=" or "+" or another symbol as well as a numeral.

I also have a collection of logon IDs that I use, switching them around irregularly. I keep a list of these logons in AnyPass, so that I don't repeat a logon closer than three years. I make sure to never use a logon as a password [or vice versa].
Posted by stevebon
6th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I HAVE FOUND THAT USING SYMBOLS IN THE FRONT, FOLLOWED BY PART CAPS, PART LOWER CASE, AND FINISHING UP WITH ANOTHER SYMBOL WILL DEVELOP A " STRONG " PASSWORD.
Posted by VIKING21
7th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I use Roboform and in my opinion it has been one of my smarter purchases. I generate a unique password for all of my password protected sites so there can be no cross-contamination.

I also take security one step further when logging onto a bank site. I open up a completely new browser, not merely a new tab, then transact whatever I need to do and then close that browser completely. I will never go to another site from a browser that I opened for a bank transaction. It is so easy to do this simple security procedure that there is no reason not to do so.
Posted by john181818
7th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Using a sentence is probably the simplest to remember and you can add some more complexity by substituting a number or symbol that is similar to a letter. For example, use the sentence, "Mary is the woman I will love for eternity." A password could be, Mitw1wl4e or M1TwIl$e. note that by using shift or a number, you can make these powerful and nearly impossible to guess.
Posted by jguzzo
7th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Oh, and I use Password Plus on my Palm Treo to manage the dozens of passwords I need for person and business use.
Posted by jguzzo
7th Aug 2009
+1 Vote
+ -
sjeffreya
I swear by RoboForm Pro. I just checked my passwords before writing this and on this rig I have 364 passwords. Plus RF generates passwords depending on length, numeric, alpha, characters and symbols. It also gives your bit score of your what combinaion is. Some sites don't allow more than 10 charachters. Allot don't allow charachters and symbols. With RoboForm nothing is hard. Just click your cursor on your choice say, alpha-numeric choose your length and hit generate. If that one doesn't tickle your fancy keep generating until you come across one you like. Then hit fill and your new password automatically fills itselfs in. No excuse not to update your heavily trafficed sites reguallarly. Oh one thing. Unless your writing passwords down. Back up, Back up, Back up!
Posted by sjeffreya
7th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I should clarify my remarks to say that I am using RoboForm Pro, not the free edition. It was well worth the money.
Posted by john181818
8th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I can say that none of my 66 current passwords nor any of the 53 retired one are on the list. Some are close, but only a part of the actual password. I do have some relatively simple passwords/PIN #'s I have been changing some to more complex ones or ones that can't be figured out immediately--such as Sarah Palin's were.. If I have a city name, it will part of my former address, etc. License plate numbers are used or variations on them, such as adding the state name, especially if you no longer live there.
I use a Password protected Excel Spreadsheet, it doesn't populate any webforms, but is free and easy to use
Posted by aatifkhan2009
9th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
The latest embarrassment was on Twitter as one of their admin account has the password "password" which make it pretty easy to hack.

There can be a whole book written on managing password for corporations. They have to change the password often as people change departments, their security levels are changed or they leave the job.

Dating for professionals singles
Posted by ryan-s
11th Aug 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
Although I use RoboForm Pro at home, I change my password at work at the beginning of every month and don?t write it down anywhere. I have three picture calendars on my walls: this month, last month and next month. Using the calendars as visual tools, I create a related phrase, and then condense that down to an 8 character strong password. For example, last month one of my calendars had a picture of a wolf cub coming out of a wooded area, so my phase was ?are you sure?? My password became: a5usU3? One of my best was a picture of a Tufted *** mouse on a lilac bush, my phrase was ?Mine aren?t purple? pw: m1r?tpu3. It?s my way to add a bit of fun to my job and secure my employer?s data.
Posted by akprange
14th Aug 2009
-1 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
use all the tips given above
-va
Posted by agarwal0406vinayak
9th Sep 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
I've been using Roboform for about three years now and I love it. I put it on every computer I get. It's well worth the money and will save you a lot of time. I'm paralyzed on the left side so it's a pain for me to type. Roboform saves me all of that. I highly recommend it.
Posted by pitter43@...
29th Sep 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
For those of a mathematical bent
Password generator -
My house ( or street, or age etc.) number times (or add, divide, etc.) my house ( or street, or age etc.)does not equal 100 (or any other number you like.
So my password could be 59Times96>=480.
I find numbers just easier to remember...
Posted by Agnostic_OS
9th Oct 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
thx
Posted by alaa emad
13th Oct 2009
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
RE: How to avoid the '500 worst passwords of all time'

I use Roboform and in my opinion it has been one of my smarter purchases. I generate a unique password for all of my password protected sites so there can be no cross-contamination.

I also take security one step further when logging onto a bank site. I open up a completely new browser, not merely a new tab, then transact whatever I need to do and then close that browser completely. I will never go to another site from a browser that I opened for a bank transaction. It is so easy to do this simple security procedure that there is no reason not to do so.
Posted by jeckyt
4th Jan 2010
+1 Vote
+ -
RE: How to avoid the '500 worst passwords of all time'
RE: How to avoid the '500 worst passwords of all time'

I have used AnyPass Pro for several years for all my contact info: passwords, telephone numbers, etc. I have [probably] 150 passwords. The software can be password protected, so I feel reasonably safe. In addition to my computer, the software can be run on a flash drive without any special tricks needed.

For a password, I usually use two words with a numeral between them, and I change every password annually - as I encounter it after the new year. I usually use a string of 7-9 characters in a password. Sometimes, I use the "=" or "+" or another symbol as well as a numeral.

I also have a collection of logon IDs that I use, switching them around irregularly. I keep a list of these logons in AnyPass, so that I don't repeat a logon closer than three years. I make sure to never use a logon as a password [or vice versa].
Posted by jeckyt
4th Jan 2010
+2 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
i usually mix letters and numbers and rumble or mix them to be able to play safe.
Posted by malou.buenaventura
6th Jan 2010
0 Votes
+ -
RE: How to avoid the '500 worst passwords of all time'
There are several excellent "password safes" available freely as "open
source" programs, "Password Safe" is an excellent product, as well as
is "Keepass". Of course if you've got money to burn, then price is no
object. ;}) seriously these keep all your passwords and personal
information concerning them under full encryption, so if you should
lose your USB drive, your passwords remain safe from prying eyes.

Each product contains a Randomly produced password of any strength that
you might require, with Password Safe that upper limit is 300 bit
passwords. I gave up trying to create and maintain passwords in my head
a couple of years ago thanks to Password Safe. It is secured with a
single randomly generated password, that I occasionally change.
Posted by hdlss@...
20th Apr 2010
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

How is your organization connecting and engaging to become social?

View Results

Blog Archive