You should not be using these passwords

Martin Brinkmann
Jan 20, 2016

When it comes to the password selection process, you are usually only restrained by the limitations imposed to you by the service you are creating an account for.

Some may have very strict but insecure rules, like enforcing 4 digit passwords only, while others may only limit the lower character limit (six or more), upper character limit (no more than 12), and a third kind may require that you pick at least a special character and a number.

Most password selection rules are not designed to enforce the use of secure passwords, but to make the password selection process convenient for the user to avoid users leaving in frustration if their password selections are rejected for being too insecure, and to avoid servers being hammered with password reset requests.

Bad Passwords

SplashData released its annual "worst passwords list" yesterday highlighting the "most commonly used passwords".It compiles the list from leaked password during the year which means that the passwords could have been created earlier and not necessarily in 2015.

test password
via password meter

Without further ado, here it is.

  • 123456
  • password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • football
  • 1234
  • 1234567
  • baseball
  • welcome (new)
  • 1234567890 (new)
  • abc123
  • 111111
  • 1qaz2wsx (new)
  • dragon
  • master
  • monkey
  • letmein
  • login (new)
  • princess (new)
  • qwertyuiop (new)
  • solo (new)
  • passw0rd (new)
  • starwars (new)

As you can see from the listing, most of the selected passwords are as basic as they can get as they are either basic words, numbers, or use a combination of characters that are easily detectable as a pattern on the keyboard.

The main issue here is not only that these passwords are insecure, but also that they are found in nearly any brute forcing dictionary out there.

In fact, most of these passwords have been in dictionary files twenty years ago.

The new entries to the list are as insecure as the old ones. All have in common that they are easy to type, but that is the only benefit as they leave the account wide open for attackers.

Better passwords

Probably the best advice that one can give to Internet users who select weak passwords is to start using a password manager that assists them in selecting secure unique passwords for every Internet service and application they use.

If that is out of the question, the following policies should be followed:

  1. Use a lot of characters (12 at least, better a lot more).
  2. Mix letters, numbers, upper- and lowercase, special characters.
  3. Don't pick dictionary words (football) or pop culture (Star Wars), and don't substitute common characters with each other (e.g. o and 0, e and 3, l and 1).
  4. Use unique passwords.

Now You: How secure are your passwords?

You should not be using these passwords
Article Name
You should not be using these passwords
SplashData released its annual "worst passwords of the year" listing highlighting the most common passwords used in 2015.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. XenoSilvano said on January 27, 2016 at 12:34 pm

    The practice that I often employ for creating memorable passwords is that I will pick a Latin or Greek word that I like, then I will capitalise all the characters within that word that look like Roman numerals, I have no need for the use of password managers because this method works like a charm.


  2. jim cone said on January 22, 2016 at 4:04 am

    No matter how good your password is, if the bank, broker or porn site you use is hacked then that good password becomes not so good. Thank you Target.
    I just hope that any security breach gets noticed quickly, so that good password can be changed… (“fluffy7” sounds nice).

    For those with MS Excel, I make a free Excel add-in (Create Password) available at…
    (for xl97 thru xl2010 only – n/a XL2013+)
    No ads, no trackers, no cookies, no registration. Options to choose length, all alpha, all symbols and mixed.
    Jim Cone
    Portland, Oregon USA

  3. beerpatzer said on January 22, 2016 at 3:13 am

    In my experience, most people use passwords which include a person’s or a pet’s name, followed by a single digit. For example, michael1, andrea4, or fluffy7.

  4. Fred Prince said on January 21, 2016 at 8:46 pm

    Another warning… ‘Keyboard walks’, such as 1qaz@wsx are not safe. In fact, if you can think up a password, the password is automatically suspect. Millions of people have constructed passwords, and we tend to think alike and using the same patterns. At some point all ‘human devised’ passwords or pass phrases can fail.

    Computer programs used to choose passwords can also fail. If there is input used for initiating any password builder, the strength of the result is only as strong as the initial input. You can apply an algorithm to construct very powerful appearing passwords, but a hacker using the same algorithm can crack your password with little effort, if the basis for the product is weak.

    There are ways of approaching randomness, and reasonably ‘unpredictable’ password strings are possible. The user, however, must do his/her part in the process. The basic issue is that strong passwords take effort to construct or recall. They are hard to remember and people both lack an ability to select and the energy to enter better passwords.

    Never believe that you can out think a hacker or the power of statistical analysis that they have at their disposal. In the short term, you may win at the slots, but it’s not likely in the long term. Mathematics will win over human frailty every time.

    Bite the bullet, use a good ‘random password generator’ to build the longest password that you can use, make a few character substitutions, write down the string and keep it in a safe place. At that point the length and unpredictability of the password will, hopefully, make a hacker’s attempts too costly to pursue. Be sure that no one else ever has access to the password and change it often.

    Or, buy a new quantum computer for the latest in ultimate security.

    1. Jason said on January 23, 2016 at 9:42 pm

      “Or, buy a new quantum computer for the latest in ultimate security.”

      When those become “a thing”, all encryption as we know it will be finished. Basically instant brute force cracks.

  5. Stephen in Austin said on January 21, 2016 at 11:42 am
    Passphrases That You Can Memorize — But That Even the NSA Can’t Guess. It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power). …

    But luckily this usability/security trade-off doesn’t have to exist. There is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. The method is called Diceware, and it’s based on some simple math.

    Imagine your adversary has taken the lyrics from every song ever written, taken the scripts from every movie and TV show, taken the text from every book ever digitized and every page on Wikipedia, in every language, and used that as a basis for their guess list. Will your passphrase still survive?

    (after all that doom and gloom, let’s cut to the good part now)
    In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they’ll pick your passphrase each try.

    At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.
    VIA Micah Lee @ The Intercept


    I created a 7 word password, using Diceware, as suggested in the linked page. It took about ten minutes maybe, fifteen max. Ridiculously simple. I wrote the words down on paper, as suggested, with an eye toward tossing the paper upon memorizing the password. Actually, two slips of paper for me; I put one in my wallet, for use with my smart phone.

    I am *not* noted for my memory. No one has ever accused me of having a mind like a steel trap. Still, I easily had it memorized inside two days.

    The paper is long gone. And: since memorizing it, I went ahead and added an *extra* word, for fun. You know, because I can….

    I use that long, fun password to log into LastPass. I have used LastPass to create 18-22 character, absolutely bombproof passwords on every site that is in my LastPass vault.

  6. Decent60 said on January 21, 2016 at 4:40 am

    Wait wait wait… mean other people use ‘password’ for their password?!?! When did this become a thing!? I thought I was being clever and unique. Damn.

    Jokes :-P

    Easy way to make a secure password: Pick two random objects around the room/house/building, combine them without using the entire word(s) (e.g. book case and fishing rod = booshing cod) then throw some random numbers around (e.g. booshingcod307) and for good measure, add a special character (e.g. booshingcod?3475). Takes me literally 10 seconds to make up a new password. If the combined words are too short, throw in another one.

  7. Jeff said on January 21, 2016 at 2:31 am

    If the site allows spaces as characters, you can create highly complex yet easy to remember passwords by combining common words into a nonsense sentence.

    e.g. dark side moon blues guitar

    e.g. horse duck snake train

    or you can make a recognizable phrase but add symbols to it

    e.g. !war of the roses#

    Or if you just want a simple dictionary word, put symbols in or around it: #dragon?!

    Symbols make any password far, far more complex.

    1. Jason said on January 21, 2016 at 4:24 am

      The “passphrase” method only works if you choose your words randomly (or at least by a method approaching true randomness). You cannot do this by yourself; you need software. One way to do this is with the Duckduckgo search engine, which can generate 4 pseudorandom words when you search for “random passphrase”. Also, if you are trying to get a fairly secure passphrase for something particular important, you should be aiming for around 6 words, each of 4 or more characters. This has been derived mathematically to offer around 80 bits of password entropy (complexity), which is sufficient for most purposes.

      1. Earl said on January 21, 2016 at 5:18 am

        I like PWGen.

    2. Earl said on January 21, 2016 at 3:16 am

      I use multiple words, no spaces, with all of those mentioned goodies–upper/lower case, numbers, special characters; and I never use the same pass-phrase on more than one site/app. Sure, I’ve never been hacked; wish I could say the same for one or more companies I’ve done business with (which is the real threat to your data–not bad passwords).

      1. XenoSilvano said on January 27, 2016 at 12:21 pm

        How do you know that you have never been hacked

  8. Chains The Bounty Hunter said on January 20, 2016 at 10:31 pm

    Each time I see lists like this, I always wonder if a lot of the common passwords are used by people creating accounts that they know won’t contain sensitive information. I can recall at least one occasion where I signed up for a website that I was loathe to otherwise do so and made certain to use a password that wasn’t complex.

    Of course, the data measured can’t possibly factor such a thing in unless they’re tracking down the individuals responsible for using passwords like that and asking them but it’s something I feel would prove interesting to know, given the state of mass data leaks and widespread database hacking in recent years.

  9. David Naylor said on January 20, 2016 at 8:19 pm

    Here’s what I do: I use Firefox’s built-in password manager with a good master password set so that the saved data is encrypted. I use completely random passwords, as complicated as the respective sites will allow. I basically only have to remember one password, and if one of my accounts gets hacked then they won’t get access to anything else.

    What is really laughable is that (at least in my experience) the sites which should reasonably have the highest possible security (online banking) are the ones which have the most restricting password rules. (I.e. no special characters allowed, max 12 chars, etc.)

  10. D. said on January 20, 2016 at 7:48 pm

    You are right Martin on trying to get people to use a password manager when selecting weak passwords and etc. I have had people to many times when I told them to stop using the same password everywhere, or create a longer password than the minimum amount of characters needed, that I was to paranoid. You know how that goes. These things only happen to someone else. Yet, the banks, credit card companies and etc. warn them, and some people still do the least in security they can do to get by with.

    This being allowed to putt in the minimum amount of 8 characters and that is it, should have been discontinued a long time a go, I think. I think we should be starting out around 12 to 15 characters also to begin with, everywhere on the net. That should be a standard…

  11. Jason said on January 20, 2016 at 5:20 pm

    I find it interesting that “dragon” and “monkey” are more common than 0987654321, which doesn’t appear in the top 25 in any form. So people have discovered how to slide their finger left to right, but not how to do it right to left? :)

    On a more serious note, people should know that modern password hacking algorithms include tens of thousands (not 25!) common strings. The algorithms go through these strings first, and then branch off into more complex combinations if needed. In other words, you should do as Martin suggested and make your passwords truely complex, otherwise there is really no point to having a password – a hacker will be able to brute-force it in just a few seconds.

  12. S2015 said on January 20, 2016 at 5:01 pm

    There’s yet another possibly weak line of defense, username / E-mail. Unfortunately, the users usually made that sensitive information public when looking for help online.
    I did encounter a site which was / might be still sharing personal info, “ID + PW@ site”.

    Moreover, changing one’s habits could be hard:

  13. intelligencia said on January 20, 2016 at 4:43 pm

    Hello Mr. Brinkmann and Everyone:

    I understand that the NUMBER of characters is very important in making a password harder to break:
    – – (7) or (12) characters have been shown to be most resistant to hacking attacks!

    If you want a more sophisticated password system one can also use the Scandinavian alphabet letters as coding (using Microsoft Windows). One or two of these characters (or umlauts) in your password setup will suffice.
    [I would show it here but my computer is using Linux and is unable to produce said letters.]
    Nevertheless, here is the place to go for more information:

    Enjoy and Be SAFE out there in Cyber-Country!


    1. XenoSilvano said on January 27, 2016 at 11:51 am

      I think you mean accents, there are other languages aside from the Scandinavian languages that use the same accents using the Latin script.

  14. Maelish said on January 20, 2016 at 4:25 pm

    In my opinion, most password requirements are horse-hocky. I recommend people read this:

  15. cdr said on January 20, 2016 at 1:18 pm

    Mostly agree. Anyone who doesn’t come up with a difficult to guess password for an on line bank account or something similar is only asking for trouble. Having an unusual user id, if it can be changed, adds protection. If not, having many email addresses that are only used for special purposes, such as on line banking, works well too.

    My only gripe with these articles is that everyone has junk accounts. They’re used for non-essential purposes and will probably be forgotten about fairly soon. For, example, you open up an account on Facebook using a fake name just to see what Facebook is all about. (Actually I did that using the name Slam Dunk, and was one of about 300 other Slam Dunks on Facebook at the time.This was many years ago so I have nothing to do with any Slam Dunk out there today.) I see little reason to make the ‘junk account’ password complicated.

  16. Yuliya said on January 20, 2016 at 11:46 am


    Ayy this surely has fixed the issue that the passord ‘password’ had :)

  17. Gerard said on January 20, 2016 at 11:26 am

    Recently when I was creating a Steam account I noticed they have some very odd rules about passwords. I generate passwords with a manager and usually have not had any problems with that. Now, however it seemed like no password I tried would be good for them. I tried passwords from 8 to over 20 characters, only lower case, only upper case, mixed, with numbers, with specials. Apparently one of the characters not allowed was “£” so what’s that about? Maybe they also have system that enforces you to actually write the password in the fields instead of pasting. Managed after dozens of tries.

  18. Moses Arthesi said on January 20, 2016 at 6:28 am

    Maybe visual, multi-language, XKCD inspired password generator can be used to generate more secure password.

    1. Croatoan said on January 20, 2016 at 3:00 pm

      + number and symbol :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.