SplashData reveals 2011's 25 worst passwords

By on November 21, 2011, 6:30 PM

Reaffirming a smaller study released earlier this year, SplashData has published a list of this year's 25 worst passwords. We've seen countless security breaches this year and in many of those cases, the hackers released the stolen data online. SplashData has used that information to compile its list. Although some of the swiped passwords were shamelessly stored in plaintext, most were encrypted. In other words, for the following passwords to even make it on the top 25 list, they must have been cracked. That just further illustrates how worthless they are:

1. password 6. monkey 11. baseball 16. ashley 21. 654321
2. 123456 7. 1234567 12. 111111 17. bailey 22. superman
3. 12345678 8. letmein 13. iloveyou 18. passw0rd 23. qazwsx
4. qwerty 9. trustno1 14. master 19. shadow 24. michael
5. abc123 10. dragon 15. sunshine 20. 123123 25. football

Naturally, if you're using any of those passwords, you should change them immediately. SplashData offers other tips on securing your Web accounts. For starters, you'll want to use passwords of at least eight characters or more with mixed alphanumerics. Without the help of a service such as LastPass or RoboForm it can be difficult to remember long, randomly generated strings of text. SplashData suggests using memorable short words separated by spaces or other characters such as "eat cake at 8!" or "car_park_city?". Programs such as KeePass can safely store your passwords locally.

"Hackers can easily break into many accounts just by repeatedly trying common passwords. Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft," said SplashData CEO Morgan Slain. "What you don't want is a password that is easily guessable. If you have a password that is short or common or a word in the dictionary, it's like leaving your door open for identity thieves." With attackers on the prowl this holiday season, it's a great time to secure your accounts.

In a completely anecdotal side note, I feel compelled to mention that it seems some people are lured into a false sense of invincibility online. Perhaps it's because of the Web's relative anonymity, their general misunderstanding of the technology, or both. Many of the same individuals would cling to symbols of real world security -- be that an easily bypassed $10 door lock or forfeiting civil liberties to travel. Point being: it's odd that many people don't take advantage of free and easy security measures online, but they'll go to great lengths for lackluster security measures in the real world.




User Comments: 17

Got something to say? Post a comment
cliffordcooley cliffordcooley, TechSpot Paladin, said:

With attackers on the prowl this holiday season, it's a great time to secure your accounts.
After all attackers only prowl during the holiday seasons. If you are going to use a less secure password, don't do it during the holiday season.

Honestly why did the holiday season find its way into this article? Attackers prowl everyday not just the holidays. It was a nice read until I found my way to that sentence. A scare tactic during the holiday while the topic is just as important outside the holiday.

Staff
Matthew Matthew, TechSpot Staff, said:

It's not a scare tactic, it's reality. Cybercrime increases during the holiday season. Why? We're entering the busiest e-commerce period of the year. There are more people shopping -- that includes more clueless people to prey on. That's beyond the fact that for most families, it'd undoubtedly suck more to have their savings stolen ahead of Christmas than, say, April.

You think I'm fear mongering and frankly, I think you're looking for something to complain about.

ramonsterns said:

You both make fine points and I respect your opinions, but anyone who uses these passwords deserves to have their savings drained.

Staff
Matthew Matthew, TechSpot Staff, said:

I agree ramon. There are instances where people take security seriously but still get scammed or whatever and I won't go as far as saying they *all* get what they have coming to them. But most victims of these crimes lack personal responsibility. They have lousy passwords, shady browsing habits, poor judgement when opening emails etc.

If someone is going to enter their private information online, they need to understand the risks and do what they can to mitigate them. Unfortunately, that's asking too much of some individuals. It's a scary world. There's always been bad guys and there always will be. Likewise, there's always been reckless fools and there always will be.

lawfer, TechSpot Paladin, said:

cliffordcooley said:

With attackers on the prowl this holiday season, it's a great time to secure your accounts.
After all attackers only prowl during the holiday seasons. If you are going to use a less secure password, don't do it during the holiday season.

Honestly why did the holiday season find its way into this article? Attackers prowl everyday not just the holidays. It was a nice read until I found my way to that sentence. A scare tactic during the holiday while the topic is just as important outside the holiday.

I disagree with this. Matthew pretty much took the words out of my mouth.

And while I sometimes (unbiasedly) criticize Techspot, I can clearly see that, at least on that comment, you seem to just want to complain about <i>something</i>, but don't quite make it clear.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

That doesn't change the fact that attackers are always the prowl and it's always a good time to secure your accounts. The article needs to sound as if it is still just as relevant in January as it does in December.

Since you think my warning to everyone in January is a complaint against the article, I have nothing further to say.

Cota Cota said:

There's no need to make a strong password since most of people get Keylogged or puts his passwords in fake web pages, of if you put your data unprotected and un-encrypted (yes SONY its you duh!)

Most of mail/payment/security web services have protection measures for brute force attacks, so why bother whit strong security passwords if the user is gona give away his password or if companies have mediocre secirity and get nailed by simple and very easy attacks? (yes SONY its about you again)

Guest said:

Personally, I use "blank" for all my passwords... I've never gotten hacked yet.

lawfer, TechSpot Paladin, said:

cliffordcooley said:

That doesn't change the fact that attackers are always the prowl and it's always a good time to secure your accounts. The article needs to sound as if it is still just as relevant in January as it does in December.

Since you think my warning to everyone in January is a complaint against the article, I have nothing further to say.

You say "that doesn't change the fact..." What is <i>that</i>? I presume <i>that</i> is Matthew's argument. When you say "that doesn't change the fact," without directly countering it, you indirectly agree with it. So how can you agree with (or in part of) an argument, and call it inconsequential to an argument this very argument counters?

Matthew never said, or even implied, attackers don't prowl on a regular basis. He simply stated they are more rampant due to the holidays. Nothing more, nothing less.

Your second point is that, apparently, this article does not seem to point out that security habits should be maintained throughout the year, and not only on the holidays. While true, why is the mere emphasis on security during the holiday (due to the aforementioned reasons, the ones, which I might add, you "agree" on) such a problem to you? How does this reminder take away the fact that attackers do still attack in other times of the year?

I fail to see the connection. While, granted, users should always make harder-to-guess passwords, the reminder at this holiday time is definitely pertinent.

<b>Since you think my warning to everyone in January</b> is a complaint against the article, I have nothing further to say.

What...?

Wendig0 Wendig0, TechSpot Paladin, said:

cliffordcooley said:

The article needs to sound as if it is still just as relevant in January as it does in December.

Here's a thought, edit your own articles when you run your own popular tech website. Cue bad "Everyone's a critic" line.

ramonsterns said:

Alright guys, ease off a bit.

Guest said:

I think cliffordcooley actually had a password in your list, which is why he replied.

herpaderp said:

^ lol @ guest, also, did someone just get lawfered AGAIN? You're on a roll man.

slh28 slh28, TechSpot Paladin, said:

I guess ashley and michael are the most popular names then.

Guest said:

I use RoboForm, love that password manager.

Guest said:

that might change soon...

rculver9056 rculver9056 said:

Guest said:

I use RoboForm, love that password manager.

Me too..

Remembers 'em, syncs 'em, the lot. And try a brute force attack on something

like "ilKLv^G@fBAw9h5$F439"

One of the best programs I have ever come accross.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.