Leaked 2014 passwords show that people are still careless online

Martin Brinkmann
Jan 21, 2015

What have the words password, baseball, dragon, football, monkey, mustang, access, shadow and master in common?

They all made the word passwords of 2014 list. The list, compiled by Splashdata, is based on 3.3 million passwords that leaked during 2014.

One could say that 3.3 million passwords are not really representative when it comes to online password use but since that is all the data that is available, it can be used to analyze trends.

And the main trend of 2014 seems to be that people are still as careless about online passwords as they were in previous years.

The passwords "123456" and "password" retained the top spot while other favorites such as "qwerty", "letmein" or "111111" are still in the top 25 list just like they were in previous years.

The big issue here is accounts can be easily attacked using brute force attacks that use dictionaries that contain the top 100, top 1000 or even top 10000 passwords and variations.

While password selection comes down to each individual user, it is not only the fault of the user that online security is in this predicament.

Online companies prefer to keep enforce basic password policies that are not too much of a nuisance to users. This in fact has not changed a lot since 10 or even 15 years ago where nearly the same rules were in effect.

Lets take a look at name and password guidelines of popular Internet companies

  • Google requires a password of at least 8 characters. Passwords in addition to that cannot be reused, and easy to guess passwords such as "1234567" are not allowed.
  • Microsoft requires that passwords contain at least 8 characters.
  • Dropbox requires that passwords are 6 characters or more. Password strength is highlighted.
  • Yahoo passwords must have a minimum size of 8 characters. In addition, they cannot be reused or be similar to previous passwords, cannot repeat single characters, cannot be "password" and cannot contain a user's first or last name, or Yahoo ID. Highlights password strength.
  • Facebook passwords must have a minimum character count of 6. Highlights password strength.
  • Twitter passwords must have a minimum character count of 6. The password strength is rated on input.

While most companies use low character limits for user account passwords, most suggest to users that they should use stronger passwords. Twitter for instance suggests to use a unique password that is at least 10 characters strong and uses a mix of uppercase, lowercase, numbers and symbols.

Why are not companies enforcing recommended password rules then? It is not clear why but an explanation that makes sense is that they fear that they would lose users over this who turn away in frustration when their passwords are not accepted during sign-up or password change.

Internet users who want to improve the strength of their passwords should consider using password managers like LastPass, KeePass or Dashlane as they will generate and store secure passwords for users.

Now You: What's your take on password use on today's Internet?

Leaked 2014 passwords show that people are still careless online
Article Name
Leaked 2014 passwords show that people are still careless online
A leaked top 25 list of online passwords suggests that online users are careless about password use on the Internet.

Previous Post: «
Next Post: «


  1. Purplemaize said on April 21, 2015 at 9:37 pm

    When you have 2 different kinds of computers and Beta test software like I do. I have to keep doing this. I also get rid of the old malto’s when I am done working with that client after a few years.

  2. Thrawn said on April 21, 2015 at 12:58 pm

    Purple, there is no point changing strong passwords every three months, and if you use weak passwords, then changing them won’t help.

    The only way to keep track of strong, unique passwords for many accounts is to record them. And the best way to record them is a password manager with strong encryption.

    For passwords that you really need to memorize (like the master password for your manager), I recommend Diceware. You can easily comply with complexity requirements by replacing spaces with other punctuation.

  3. Purplemaizenjm said on January 25, 2015 at 2:17 am

    Easy Arthur, I change 100 sites per month. Write down the site and change password. Everything is on a corkboard.

  4. Purplemaizenjm said on January 23, 2015 at 2:57 pm

    It is best to change your password every 3 months. No matter how many sites you belong too. I love to confuse my computers key changes because I dont keep the new updates in there.

    1. Arthur said on January 24, 2015 at 10:40 pm

      How would you do that if you have over 500+ passwords? I can’t spend days changing my passwords every 3 months.

  5. All Things Firefox said on January 23, 2015 at 12:21 am

    Everyone: Please use KeePass. It is so easy to use and provides instant account security.

  6. George P. Burdell said on January 21, 2015 at 8:44 pm

    Here are two password resources I enjoy using:

    https://telepathwords.research.microsoft.com/ Test your password

    https://secure.pctools.com/guides/password/ Generate a password

    Hope these help!

    1. Tom Hawack said on January 21, 2015 at 8:57 pm

      Nice links to online password resources.
      As an application I found this one quite exhaustive :
      Strong Passwords Need Entropy (S.P.N.E.) http://eddantes.blog4ever.com/strong-passwords-need-entropy-spne-12-may-2013

      1. Tom Hawack said on January 22, 2015 at 2:13 pm

        Well, Peter, I’d never fail to that advice : Do not use an online password generator
        Extra-cautious, paranoid? In French we say “Dans le doute abstiens-toi” which could be freely translated by “If you doubt , refrain yourself“.

        Often (especially in French culture, UK & US are more civilized on this point) techies but especially those who consider themselves to be a sum of knowledge (while those who really know are far more tolerant) have this trend to joke about plain basic users who take extra precautions. They can laugh as much as they want, if I get into problems it’s not them who will solve the issue. When I’m not sure I am doubly cautious.

      2. Peter said on January 22, 2015 at 1:40 pm

        Funny. One of the 15 rules of SPNE: Do not use an online password generator.

  7. Tom Hawack said on January 21, 2015 at 8:00 pm

    Here always 32 characters (sometimes 31 or 33), upper-lower alphanumerical + special characters. That is, when a website allows this, because I’ve encountered many websites which do not state clearly the upper/lower limits in size and content, and several which have an upper limit, like no more characters than 20 and/or no special characters.

    It would be most appreciated that logins :
    1- Require strong passwords which they lack to and most likely for the reasons exposed in this article.
    2- Be clear about the password’s limits :
    At least mi characters, no more than ma characters;
    Upper/lower case : required/allowed/forbidden;
    Special characters : required/allowed/forbidden.

    Some sites do it but some others will refuse a password for an unknown reason, the user has to test until he finds the optimal accepted password…. I’ve even experienced once a website that accepted a 32 character password which failed when I tried afterwards to login simply because it had been truncated to the first 16 characters …

    So : yes, many, far too many users are totally unconscious about the importance of passwords, not only for themselves but for others as well…
    And : Yes, many, far too many websites are totally — not unconscious — but cynical when it comes to compare security to business.

    And I continue to believe that ISPs should proceed to a new customer’s briefing (at the office and/or website, documentation. Because if the number of users who don’t give a damn as for their security passwords included continues to grow we’ll be leading to a Web driver’s license. No other way.

  8. intelligencia said on January 21, 2015 at 5:07 pm

    . . . while all passwords are potentially C-R-A-C-K-A-B-L-E . . . the cyber-security experts say that passwords that have either seven (7) or [preferably] twelve (12) Upper; lower and Special (case) characters are harder to break and to make it much more difficult for hackers to break into someone’s Online account said experts Strongly recommend a two-factor authentication plan to work in tandem with a password.


    1. Chris Granger said on January 21, 2015 at 7:07 pm

      Anyone who is suggesting seven-character passwords are hard to break is no security expert. It’s trivial to brute force a seven-character password with dedicated tools.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.