Start New Discussion within our Information Security Community

A password is defined as being a "secret word or string of characters" that is used to authenticate identity and enable access to a resource. The emphasise being on the word secret, although 'unique' is equally important when it comes to password security. Which is why the list of the most popular, and therefore worst, passwords used online this past year as revealed by password management specialists SplashData this week is particularly worrying. Well, it should be if your password is on the list anyway!

pass01.jpg According to SplashData, the 25 worst passwords that you could be using include those insecure evergreens of 'password' at number one and '123456' at number two in the chart of shame, followed by the almost as easy to guess but one assumes treated as a more secure option by those who don't know better '12345678'. At number four in the list we find the bad password choice of 'qwerty' - yep, the first six letters on a keyboard, easy to remember and even easier for the bad guys to crack.

Mixing letters with numbers is always a good thing in terms of security, apart from when you use the likes of number five in the list which is, I kid you not, 'abc123'. At least number six is slightly less obvious, I mean who would guess your password is 'monkey' after all? Erm, well actually that bit of automated software which looks for dictionary words would, and it would do so in a matter of just a couple of seconds as it is a very short dictionary word at that.

Number eight is a seven character string which should by rights sit between the first and second entries as it is '1234567'. While the ninth most popular password was the first to adopt another recommended approach to password construction of using phrases rather than single dictionary words. Unfortunately, using 'letmein' comprises of just three very short dictionary words that pretty much every dictionary attack software will stumble across in less time than it took me to type this sentence.

Number ten may look, at first glance, like something approaching a secure password it remains a poor and insecure choice by virtue of being included in the custom words section of most password cracking tools. There's a certain irony in selecting 'trustno1' as your password I admit, but not a great deal of security. The same can be said of 'passw0rd' which sits at 19 in the list and just replaces an O with a zero. It's more secure than using the number one choice of 'password' but only just. Other stand out inclusions on the list included '111111' 'iloveyou' '654321' and the rather inappropriate under the circumstances 'master'.

Where did SplashData get the information to compile such a list, you may be asking yourself? Actually the company compiled it from files containing millions of stolen passwords that have been posted online in underground hacking forums following successful data breaches during the year.

Andi Hindle, Director of International Business Development at security outfit Ping Identity, warns that there is "no such thing as an uncrackable password" adding that is it "possible to make a password that is so difficult to electronically guess that it would take an untold time". Of course, even if that untold time equates to millions of hours, those hours could be spread across thousands of machines using cracking software and that, once again, introduces the element of risk if the bad guys thought your data worth the effort and financial investment involved in breaking it.

Meanwhile, SplashData offers the following suggestions when it comes to improving your password security:Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, "eat cake at 8!" or "car_park_city?" Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services. Use different passwords for each new website or service you sign up for. Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. Here's the full SplashData list of the 25 worst passwords of 2011: password 123456 12345678 qwerty abc123 monkey 1234567 letmein trustno1 dragon baseball 111111 iloveyou master sunshine ashley bailey passw0rd shadow 123123 654321 superman qazwsx michael football

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.


I saw this in a posting about secure passwords, it's eight characters with a capital. Oddly enough, to my knowledge, this is an actual secure password because of length and number individual words.

I used to use easy passwords so I can remember them but after my e-mail and some other accounts were used for spam several times I started using password generators. There are many websites that allow u to use password generator online and I save them in the not on my cell phone. Also I read somewhere that it is better to change any password every 6 months.

I must be more careful. My password is often too easy for anyone to guest. :(. Have to change it immediatly!

Passwords are becoming more vulnerable since most people use the same password on a lot of different accounts, which might not be at all trustworthy.

Rather than every six months, it should be done more often say per month and be sure to include uppercase/lowercase/special characters and numbers in your password.

A password is never a good one if the security question isn't well. I admire the system most banks use, where the authentication process has three steps.
2)Security Question
3)Code Generated from a dongle they give which is assigned to you.

This method or similar is used by Wallet Software sites as well, and people should make use of it, since most probably this is the most important password most people have.

I have no problem with difficult passwords. I use a password manager like roboform. In each site I register, I use a different password for the same email address. And I just let roboform to generate the password for me which is in fact very random in nature.

The article starter has earned a lot of community kudos, and such articles offer a bounty for quality replies.