smartplanet.com / Smart Business / Business Brains

Top 20 most common passwords of all time revealed: ‘123456,’ ‘princess,’ ‘qwerty’

By Joe McKendrick | Jan 21, 2010 |

Last summer, SmartPlanet colleague John Dodge posted details on the 500 worst passwords of all time.

Now, Imperva has released a list of the 20 most commonly used (and therefore worst) passwords, culled from a hacking incident that took place in December at RockYou.com, a photo-sharing and slideshow site. Reportedly, 32 million usernames and passwords were breached. (RockYou.com issued a statement indicating that it temporarily shut down its platform after the incident, and now employs encryption technology.)

Imperva posted a summary of the passwords, along with advice on how to create stronger passwords.

The most common passwords are as follows. Is yours among them?

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Ashley
  19. 654321
  20. Qwerty

It’s notable how many people apparently use their first names as passwords. Notice how also, in the case of no. 7, the password is simply the name of the site.

Imperva observes that we have made precious little progress over the past two decades in improving passwords — long considered the Achilles heel of data security:

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks…  Ironically, the problem has changed very little over the past twenty years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data.”

The greatest danger, Imperva points out, is that it wouldn’t take long for a hacker to break into a percentage of accounts using the weak passwords with a brute force attack. It’s simply a numbers game:

Citing NASA guidelines, Imperva recommends that all passwords be at least eight characters, and contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

Of course, context is important as well. For online banking, email accounts, Website administration access, and so forth, the stronger the password, the better. However, there are countless information sites — online journals, analyst firm sites, and so on, that require password access, and fumbling with a unique strong password every time you want to read a white paper is just plain annoying.

Accordingly, Imperva advises users to “choose a strong password for sites you care for the privacy of the information you store.”  If you’re concerned about being able to remember the code, here’s a little memory-jogging trick: “Take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’”

Imperva recommends that administrators enforce strong password policy, especially if sensitive data is on the line. Another word of advice: “Make sure passwords are not transmitted in clear text. Always use HTTPS on login.” Also password files should be encrypted before being stored in a database.

Also worth consideration: requiring passphrases instead of passwords. “Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.”

 
Reply to Story

SmartPlanet TalkbackShare your ideas and expertise on this topic

Subscribe to this discussion via RSS

  •  
    1

    sion.roy1977

    01/21/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    The reason people still use weak passwords and the same passwords for all of their sites is because its too inconvenient to do otherwise. This is why solutions such as the one offered by Mitto< (http://mitto.com) are useful...they make secure password management easy.

    By using Mitto, you can create and manage strong different passwords for all of your websites, and log into them with ease from any computer. Because it's an online password solution, there is no software installation required. It's not that people don't want to be safe, or that security isn't a top priority. It's that the solutions that currently exist are too inconvenient for people.

  •  
    2

    lehnerus2000

    01/22/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    "The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks?"

    Talk about "grabbing the wrong end of the stick". People use short passwords because they are easy to remember and enter. I have a short password and I still mistype it. Couple that to the rotating password system that is recommended (replace your password after 6 months) and you are obviously going to pick a short easy to remember (and break) password.

    Demand a 32 character password for your site and see how many people will bother to log-in!
    Do you think that corrupt corporations would put up with it taking 10 minutes/day, for their workers to successfully log-in to their user accounts? A simple mechanical key & lock would be more effective!
    How many people would use ATMs, if their PIN changed every 6 months?

    lehnerus2000

  •  
    3

    Rodo1

    01/24/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    Re: Mitto. And what if they get hacked? I have Keepass and it has made me lazy and forget my passwords! You can carry it with you on a flash drive.

  •  
    4

    shpendi

    01/24/10 | Report as spam

    hello can u help my

    i cane not my password my MSN is enver_kuleta@live.de cane u send me thiss password mei MSN 2 is shpendi_blu@hotmail.com thanx

  •  
    5

    mikin

    01/25/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,

    Yes, this is really terrrible. So weak passowrds. This is why I use
    password management software Sticky Password
    http://www.stickypassword.com.

  •  
    6

    nicktako

    01/26/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    It is getting tougher and tougher these days as we all join more and more password protected sites. As the article mentioned, some demand a much higher level of complexity while others are more run of the mill and don't reveal any important personal info.

    I use a tool called roboform to manage my passwords - a free version can be found at http://yourpasswordtool.com - I have found it extremely helpful especially to keep track of the growing amounts of userids and passwords necessary as well as to remember the userid/password combos for sites that I visit on a seldom basis.

    Good luck!

    Nick
    @nicktako

  •  
    7

    contrazz

    01/26/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    Another good strategy is to figure out a password *formula* that has, say, something to do with a characteristic of the site. This allows for simple use of differing passwords for different sites. The formula can include all four character types ... if the site allows them. Sadly, some don't.

    A major credit card provider actually limits passwords to a *maximum* of eight characters! They actually limit the strength of the password I can use!

    What would be great is if *everyone* would allow using passwords of at least twelve characters (even more is better!) with all four character types eligible. Then, optionally, add a requirement that the password meet a minimum strength test. Let the user figure out how they want to arrange the password - so long as it passes the strength test. That would allow the use of short pass phrases and very complex passwords. They could be formulated in a way that would vary from site to site. And they could be remembered without the need for password software.

  •  
    8

    Mike Van Horn

    01/26/10 | Report as spam

    The Evolution of Passwords

    1. Early 90s. Used same password for everything. Never got hacked.

    2. Late 90s. Handful of passwords written on a postit stuck to my monitor. Never got hacked.

    3. Early 00s. Password hell. Proliferating, written on little scraps of paper, could never find the one I needed. Never got hacked.

    4. Mid 00s. Password formulas, so that I can remember most passwords. But, I always hit "Remember password on this computer" which means that I'm often sunk if I try to access the site from a different computer. Never got hacked.

    5. Current. Password hoops. With more sites requiring greater password complexity, I'm saying "screw this" more often and just never going back there again.

  •  
    9

    heinrich.marco@...

    01/26/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    Password Management Tools have a dual side, it can handle all your passwords very efficiently but you get lazy and forget passwords when your not using your PC. And what about if you don't have a backup of the BD? if you have a online password management tool, if it gets hack? you expose all your passwords, besides your need to get there first...

    The best solution I have think and use so far is to have a password template (or formula as "contrazz" mentioned)that could be easy remembered that even could have a fixed characters and then the variable characters like this:

    Tmeplate:
    fixed_characters-differential_character-website_related_characters
    Example:
    hKmK760(smartplanet@2010;
    DkTzQ$7605551515;for_me.

    where the ")" character separates the fixed from the variable characters...

    Just my two cents

  •  
    10

    rasin84

    01/26/10 | Report as spam

    RE: Top 20 most common passwords of all time revealed: '123456,' 'princess,' 'qwerty'

    I like the idea of template as suggested by Heinrich. In fact I am getting a feeling of 'Eureka'. It's so simple yet effective (why didn't it occur to me earlier).

The following tags are supported in Smartplanet comments:
<b></b> <i></i> <u></u> <pre></pre>

Leave a Reply
  1. Name: You are currently: a Guest |
advertisement

Quick Poll

advertisement

Active SmartPlanet

Blog Roll

Heather Clancy

Heather Clancy is an award-winning business journalist with a passion for green technology and corporate sustainability issues. Her articles have appeared in Entrepreneur, Fortune Small Business, The International Herald Tribune and The New York Times. In a past corporate life, Heather was editor of Computer Reseller News, where she was a featured speaker about everything from software as a service to IT security to mobile computing.

Heather started her journalism life as a business writer with United Press International in New York. She holds a B.A. in English literature from McGill University in Montreal, Quebec, and has a thing for Lewis Carroll. When she’s not hunting for a great green story, she’s singing a cappella or scuba-diving with her husband, Joe.

Heather Clancy

Writing publicly about what the high-tech industry is actually doing to help itself and the world get greener or more sustainable is one way I figure I can contribute more meaningfully to said effort. I'm also a big OMG-kind-of-fan of smart leadership, which is why the goodly folks who publish this blog let me go on about this topic and why I am always on the hunt for forward-looking business management ideas.

My daily writing is focused on looking for topics for my blogs, GreenTech Pastures and Business Brains. I also write often about emerging technology trends such as mobile computing, unified communications and cloud computing. Occasionally, I will pop up at an industry conference in some sort of speaking capacity. In cases where a speaking engagement involves a sponsor that may be covered in this blog, that fact will be disclosed in coverage as appropriate.

My corporate writing work usually consists of crafting research white papers about some aspect of technology. In the event that my commentary (in written, audio or video form) mentions a company for which I have provided consulting advice, I will disclose that fact. However, there is no connection between these projects and the topics that I'm covering in my blog.

Joe McKendrick

Joe McKendrick is an author and independent analyst who tracks the impact of information technology on management and markets. Joe is also SOA community manager for ebizQ, and speaks frequently on Enterprise 2.0 and SOA topics at industry events and Webcasts. He also serves as lead analyst and author of Evans Data Corp.'s highly regarded bi-annual SOA/Web Services and Web 2.0 surveys. Joe writes a regular column for Database Trends & Applications, and has authored numerous research reports in partnership with Unisphere Research for user groups such as SHARE, Oracle Applications Users Group, and International DB2 Users Group. In a previous life, Joe served as director of the Administrative Management Society (AMS), an international professional association dedicated to advancing knowledge within the IT and business management fields.

Joe McKendrick

Joe McKendrick is an independent consultant and editor. Joe has performed project work for the following companies in the IT marketspace: IBM, Systinet/HP, Teradata. He has performed project work for the following organizations in partnership with Unisphere Research (Unisphere Media): IBM, Oracle Corp., International Oracle Users Group, Oracle Applications Users Group, Professional Association for SQL Server, International DB2 Users Group, International Sybase Users Group.

Business Brains focuses on management issues that revolve around the key question: How do I make my business, family, and coworkers smarter? The blog examines the management issues facing a variety of businesses and debunks the technology you need to know

About SmartPlanet | | Newsletters