What are the World's Worst Passwords?

Mike Halsey MVP
Nov 19, 2011
Updated • Dec 27, 2012

Passwords are important, very important in fact as they're usually the only thing preventing criminals from stealing your personal and credit card information, and using your email account for sending spam (and having your account closed shortly afterwards as a result!)  In short it's critical to have secure and unique passwords for everything these days.

Now SplashData have compiled the list of the top 25 most common passwords.  They have compiled the list by examining the password dumps that have been posted online by hackers.

The list, which unsurprisingly comes with the password "password" as the most common doesn't come with any great surprises.  The most common threads running through these are that they are all very short and most are common dictionary words or proper names.  These are all things to be avoided when creating a new password.

You will notice though that the password "qazwsx" is in the list and why shouldn't this be secure.  If you look at your keyboard you will see why, as password cracking software looks at common patterns that can be typed on your keyboard.

The list of the top 25 most common passwords is...

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It's not actually difficult to create a strong password and I have put a posted I created below (click to view it full size) that you can print out and put on your wall in your home office or workplace.

A strong password should be absolute minimum of 8 characters in length, preferably a minimum of 10 characters and contain a mixture of numbers, symbols and upper and lower case letters.  You can use numbers and symbols to replace letters they are similar to, for example using an "&" instead of the letter "a" and using the number "1" instead of an "i" or an "l".

You can also mix things in a way that makes sense when remembering the code you have used to create the password.  For example, you could have a password made up of two words of different lengths, where the third letter of each word is capitalised and the fifth character in each word is replaced by a symbol.

Finally you can also, for added security, append to the end of the password, or preferably mix into it the first three letters (or a three or four letter identifier) for the website or service the password is for.  For example Amazon could mean the letters AMZ are mixed into your password.

By following these rules it's very easy to create long, super-secure and above all memorable passwords that will help your data and financial information stay safe online.

There are also other things you can do keep your passwords safe.  One way is to use randomly generated passwords and password storage software on your PC (with it's own secure password) to auto-fill these in on the websites you use.

Having a super-strong password is so important so I really urge you to tweet, blog and share this post and the poster as far and wide as possible so your friends, family and colleagues can see if their own passwords are in the list.


Previous Post: «
Next Post: «


  1. TheMerricat said on November 23, 2011 at 1:37 am

    Dear lord, I read this article via RSS and immediately clicked on it to pull up the site and comment on the whole ‘gibberish password’ ideal and how it’s better to use an intelligible, longer, phrase instead. And here I see that a number of people have already beaten me to the punch. Bravo.

  2. Dan said on November 21, 2011 at 4:08 pm

    All you need is a password manager such as Sisma or Keepass that will keep all your passwords encrypted. This way you can choose many very strong passwords for your many websites, but have to memorize only one strong password for your passwords database.

  3. diyfan said on November 21, 2011 at 5:38 am

    this kind of stuff again.

    In fact if it is something really important, I would suggest using hardware password like USB (256 bit encryption) + SMS random code + typing password

    Today the big challenge is numerous password (mail, social net, bank account, shopping account, company, online game, messenger, ………) to use in the life, and if one guy has more than 4 passwords totally different, it would be confusing even mess sometimes.
    An online or local password manager could be useful, but you have to be careful about master password and a backup policy should be taken into account

  4. Dawn said on November 20, 2011 at 7:09 pm

    This is great advice for people. I am careful with what I pick but I am amazed that some of these number sequences are popular! I didn’t realize that a lot of people were not aware of how dangerous it is.
    I wouldn’t use all numbers no matter what the sequence is. I have heard of people using their social security number too. That is just crazy as it can also lead to identity theft too!

  5. Martin Brinkmann said on November 20, 2011 at 10:23 am

    When you look at the top 25 passwords you will notice that none is larger than 8 characters. I’d suggest to double that wherever possible and use a password manager like KeePass to generate secure passwords.

    What I really do not understand is how some security sensitive online businesses, banks for instance, still allow only six or even only four characters for a password. That’s insane even if accounts are locked after three tries.

  6. Sputnik said on November 20, 2011 at 1:40 am

    Oh my gosh !!!

    How is that someone correctly guessed all my passwords ???

  7. Dean said on November 20, 2011 at 12:57 am

    This takes me back to my days as a student when (This was back in Novell 3.x days) when we used to manage to copy the bindery off onto floppies and brute-force the admin passwords.

    One of the common ones at the time was carpet.

    Surprised it’s not in there still.

  8. Berttie said on November 19, 2011 at 11:23 pm

    I just use a hash (sha1, sha256, md5, etc) generator to produce a long random password from an easily remembered key word or the URL of the site and then add or subtract several characters to obscure that it is hash generated. The world will be much, much older before they are cracked.

    This site will generate a number of different hashes from entered keywords: http://www.hashgenerator.de/

  9. Maik said on November 19, 2011 at 10:57 pm
  10. Scott said on November 19, 2011 at 8:33 pm

    Hi, Have you had a read of Steve Gibsons password haystacks, it flies in the face of common thought practise for secure complex passwords but makes sense when you listen, there is a security now podcast on the whole subject, have a read here. https://www.grc.com/haystack.htm

    Like I say , it makes sense but I shudder trying to explain to a user why HorseStapleCar………… is more secure than He7(*j#hF

  11. Jojo said on November 19, 2011 at 8:17 pm

    Wasn’t there an article a while back about how a 4 or 5 common word phrase (like “ilovehorsebackriding”) was an excellent method to construct a password phrase that was easy to remember?

  12. Anthony Frazier said on November 19, 2011 at 7:31 pm

    Obligatory XKCD Comic: http://xkcd.com/936/

    Making unguessable and uncrackable passwords is easy. Making easy to remember passwords is easy too. Mnemonics >> cat dancing on the keyboard.

    What’s even better is that using a passphrase of dictionary words also makes them far, FAR easier to enter on the software keyboards that power smartphones and tablets. Being able to Swype my passwords beats having to mess about with shift/alt soft keys and press and hold for half my characters otherwise.

    Though qazwsx making the list was surprising.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.