The ten worst passwords on the web, and why you really should read this article


January 23, 2010

You’re not fooling anyone with that “123456” password of yours. “Password” isn’t much better, and sorry ladies, but “princess” is also no good. These are among the findings in a report released by Imperva, a data security firm that analyzed 32 million passwords recently exposed in the breach. Not only did they identify the most common, and thus easily-guessable passwords, but they also suggested some effective methods for creating secure ones. is a website where users can develop apps to use on social networking sites. Last December, a hacker gained access to all of Rockyou’s members’ usernames, email addresses and passwords (which had been stored in plain, unencrypted text) and posted the passwords to the Internet. Given that many people use the same username and password for all of their online dealings, such as banking, the results could have been disastrous. Fortunately, the perpetrator seemed to be mainly interested in exposing Rockyou’s insufficient security, as they didn’t post the usernames or emails.

Imperva analyzed the hacked data, and compiled their findings in the Consumer Password Worst Practices report. Of the 32 million passwords involved, the ten most common were:

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123
  • It was found that almost half of the members used names, slang words, proper words, or trivial passwords such as consecutive digits, or adjacent keys on the keyboard.

    So, what sort of password SHOULD people be using?

    Imperva made the following recommendations:

    • It should contain at least eight characters (30% of users had passwords that were six letters or less)
    • It should contain a mix of four different types of characters (i.e: upper case, lower case, numbers, symbols)
    • It should not be a name, word, or contain any part of your name or email address
    • The report also suggests using a different password for every website, not sharing your passwords with third parties, and using the first letters of each word in a sentence as your password (For instance, “this little piggy went to market” would be “tlpWENT2m”).

      “The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism,” said Imperva CTO Amichai Shulman. “Never before has there been such a high volume of real-world passwords to examine.”

About the Author
Ben Coxworth An experienced freelance writer, videographer and television producer, Ben's interest in all forms of innovation is particularly fanatical when it comes to human-powered transportation, film-making gear, environmentally-friendly technologies and anything that's designed to go underwater. He lives in Edmonton, Alberta, where he spends a lot of time going over the handlebars of his mountain bike, hanging out in off-leash parks, and wishing the Pacific Ocean wasn't so far away. All articles by Ben Coxworth

My system for making a excellent and unforgettable password.

They say you shouldn\'t write down your password, but you can write down a clue to your password. I have a list of password clues in my wallet that no one could crack.

Here\'s my system to make a new password with an easy clue I can keep written down.

In light of recent events, I think Jay Leno is an asshole.

My new password is: assholeleno2010. My clue is \"Tonight Show\" because that\'s all I need to remind me of the password.

I might have the clue \"capita\" for the password \"fellatio.\" Get it? it works.


A long random combination of letters and numbers, mixed case, and other characters such as punctuation makes a very strong password. A random sequence of words found in the dictionary can often be cracked fairly quickly.

To remember my random passwords, I use a free encryption service,


At work, each PC on the network has a password assigned by the boss, usually a simple word associated with products or company history. If you know anything about the company, you can probably guess at least some of the passwords. But we\'re not allowed to change the passwords. How\'s that for security?

I have over 30 email accounts, 5 FTP accounts and untold forum and e-tailer accounts. None of them have the same password and none of my passwords are real words, thus not vulnerable to dictionary attacks. They may be only \"moderately\" strong by Imperva standards, but I still doubt anyone will guess them.


I wish I had a better system for generating passwords. After a time you do not have a clue what a password for a particular group/newspaper/forum was...or better still that you already registered. I know.... indecent exposure on my part here but hey, if you registered once in lifetime for a particular obscure article that you could not finish reading unless you became a \"free subscriber\" to even more obscure blog/periodical...this is the issue in my view. I am really annoyed that I need to register only to finish reading a thing and similar. Mnemonics (suggested above) are tricky and you can confuse them more than easily if \"Tonight Show\" happened some eight months ago. I better not expand on what wild associations I can have with the latter one. Good password I have. Perhaps too strong an expression but not as strong as a password though...


A friend of mine has to thank this kind of behaviour \'cause he could \"stole\" the internet connection of a neighbour. in this case the password was the name of the girlfriend.

Giuseppe Picciuca

Thats remind me of Twitter\'s password, when one employee used the same password for her Gmail. Thanks

Ammar Yameen

I read about a method that sounded pretty good once, but haven\'t tried it as of yet. You memorize a short string, such as \"f9$\" or something. You then memorize a number, like \"3\". From then on all the passwords you need you write down a string for them and keep it findable, or make them something you can associate with the location very easily. An example might be \"coolstuff\" for thinkgeek or \"technews\" for Gizmag. Also a complex written string, such as \"Odw0^l!1d\" written on a post-it note taped to the monitor for your login. The final step is that the real password either inserts or replaces the written/super easy string with the one memorized starting at the location number memorized. so \"coolstuff\" becomes either \"cof9$tuff\" or \"cof9$olstuff\" depending on your method and alloted space. With this method you could have a notebook filled with passwords that didn\'t work, without your \"private key.\"


just put 2 or 3 words together cap the first letter DuckHelpWall. very hard to crack Obviously numbers, symbols help but still. Obviosly you can make all \"o\" 0 and \"e\" 3 instead of \"i\" use \"!\".

If your passwords are so complex that you need to write them down, then you screwed up.

Michael Mantion

easy way . . use a keyscrambler


@CeridianMN I have posted my own formula a couple times... similar to what you describe. Pick a favorite, but personal, \'key\' and combine it with something obvious at each site you visit... the passwords will be all different/unique, and somewhat rememberable for each site.

For example... Make up your own short \'key\' (onetime), something meaningful to you that you can remember... composed of caps, lowercase, number and special character if you want... ....maybe initials or first letters of your favorite phrase, with a favorite number... and, well, pick a favorite \'special character\', like ! or @ or & , etc... (onetime).

Then you\'ll have a personal key, for example: JSxxx4!

...then, for every site you need a password, pick the most obvious thing that springs to mind, like \'ford\' for, or \'chevy\' for, and... ...combine them at those websites for a password there.

Such as... JSxxx4!ford at, and JSxxx4!chevy at

...that way you have a key you can remember and a different password for every website, that you should be able to guess, and not have to write down. Just don\'t always use the site name to combine with... words that spring to mind are good.

For JSxxx4!news For JSxxx4!djn Etc.

Just never give out, or write down your key... remember it only, it\'s only one \'word\'.

By the way, if your password is simply any word in the dictionary, or even any \'mangled\' word like d1n0saur, or se7en\'s EASILY crackable with software designed for that purpose. Don\'t use \'readable\' mangled words... the crackers have programmed lists of those... or ways to generate them. Computers do character substitutions -really- fast.

One caveat to my formula is that some websites only allow alphanumeric passwords, just letters and numbers. Some demand special characters, etc. So you\'ll occasionally need to be ready with some alternative to your \'key\'... dropping the ! from JSxxx4! to get just JSxxx for those sites that want only letters and numbers. JSxxx(websiteword)

You can still use one of the encrypting password programs to store a list of them too... and there\'s usually a \"Forgot password\" link on most websites, anyway. What can be harder... is remembering your username! Sometimes it\'s email address, sometimes not... and sometimes someone else already has your choice for username. So the smart websites will send your username along with password, when you click \"Forgot password\"... or they -may- have a \"Forgot username\" link as well.


What this goes to show is that we really need a way to ditch passwords all together. The industry needs to get together and come up with an RFC that will provide for a token device that everybody buys just as everyone buys a computer, keyboard, and mouse. The token would then be used as a secure device for logging on to every website. Just like everything in the world, if the website doesn\'t use this type of authentication, it will fall by the wayside. Usually the way these things get started is a few companies get together and use the ID\'s as a marketing tool. Come on FACEBOOK.... Come on GOOGLE.... Come on YAHOO.... Get together on it. Make the banks, job search sites, and government users pick it up.

Danny Darden

Mix together upper and lower case with numbers and punctuation, and make the string as long as the website allows- For example, PassWord4321! is \"stronger\" than password1234 but just as easy to remember. My job requires me to have 6 passwords, and to change them every 3 months, and yet we still have security issues. Hopefully, fingerprint and iris scanners will become cheap enough to be incorporated into less-expensive products, and eventually dispense with typed passwords.

William Lanteigne

The human brain has difficulty memorizing nonsensical letter and number combinations. And quite honestly, why would you want to clutter up your head with storing things when you can use what the human brain is actually very good at (and mechanical brains still cannot perform successfully) I\'m talking about pattern recognition. Here is a method that works. Take a look at your keyboard. Notice how the keys are situated? Develop a pattern. On my split keyboard by Logitech, there is an obvious pattern down the middle. So if I were to make a password out of it, I would use: 6tgbnhy7^TGBNHY&. That\'s a 17 character, completly random looking password. Or another pattern be 167=qty\agh\'zbn/!^& QTYPAGH\"ZBN? How is that for a 32 character random password that you don\'t need to memorize? Can you tell what keyboard pattern this one is based off of? Ed web/gadget guru


Why do you need a hard-to-break password to register at a site you only read articles on, like a newspaper? Unless you are paranoid enough to not want someone, somehow learning what you are reading.

Most advice says to create complex PWs for sites related to money, medical or other essential, private stuff, and change them about once a year. I have two or three simpler ones for all the casual sites or places where it makes little difference if someone would discover it - like casual game sites or places I read news items.

For all of this, I use a mnemonic system on index cards to clue me into the password or user name, as well as which email account I used to register. (I use an anon email account for sites I think might end up spamming me.)

Elizabeth Hagan

If you want an easy way to generate and remember secure passwords, check out Roboform ( The password generator can be configured for minimum length of password and to use upper, lower, numbers, and/or symbols, and all your passwords are stored in an encrypted file with a single key phrase on your hard drive or a flash drive.

Eric Flamm

agilecr- you should avoid Check this out:


For those interested in generating long, complex but easy to remember passwords using a mnemonic approach, you might like this simple free tool:

Susie Scott

Password generators are okay creating strong passwords i guess... i personally wouldn\'t trust using a password given to me by some strange website, and then all the encrypted file stuff seems a bit annoying... i think the best way is to create a random looking, strong password yourself AND be it memorable. Having to write down your passwords anywhere is annoying and a huge security breach. as \"bramachari\" said up the top, a good way to avoid this is just having a list of clues. \'ntrofi\' is the best tool I\'ve found for all of this. with the free trial download you can download the software to your hard drive which avoids having to store anything online, it teaches you how to create very strong AND memorable passwords easily, and it lets you store all your cues and usernames for each site you use. Really handy! I use it for everything from iTunes to email and i feel much safer now that every single password i use is secure!

Flannel Clark

If you know anything about password cracking you would know that just using numbers or just using a word or letters can be cracked fairly quickly.... like in minutes depending on how fast the computer is. THE BEST way of generating a safe password that YOU can remember is to use a number combination then have a word or two and for the first letter of each word you should capitalize, then put in either a symbol that you will remember or that relates to password and WALA! you have a very strong password, an example that I have used in the past for things is: 09PlusSign

it even rhymes so it is easy to remember. :D (not my password to anything so dont even try :P )

Jordan Verburg

Pass the butter, $49))--{[gXyor }]]. --bobby99

Bobby Younce

You are all working too hard. Make a short sequence that is complex, but easy to remember - perhaps a couple of key words with numbers. i.e. 2DayIsG00d and then you add in the first 2 or 3 letters of the website name - at the end, middle or both? For Gizmag it could then be 2DayIsGoodgi. Difficult to hack and different for each site you visit, but easy to remember!

Post a Comment

Login with your Gizmag account:

Related Articles
Looking for something? Search our articles