SplashData posts 25 "most popular" passwords of 2012

By on October 24, 2012, 11:00 AM

We’ve been seeing an unprecedented number of security breaches over the last few years targeting large corporations and individuals alike. That isn’t stopping people from using the most unimaginative and predictable passwords when signing up to a website or online service, however. SplashData has published a list of this year’s 25 most popular (read: worst) passwords based on millions of stolen logins posted online by hackers in 2012.

SplashData hopes the list highlights the importance of choosing a robust password and more people will start taking simple steps to protect themselves. Even though thieves have more sophisticated hacking tools at their disposal today than ever before, they still tend to prefer easy targets, SplashData says.

The list is similar to last year's but with some new additions on the bottom half such as jesus, ninja, welcome and password1 -- hey at least more people are taking the advice to combine text and numbers!

1. password (Unchanged) 10. baseball (Up 1) 18. shadow (Up 1)
2. 123456 (Unchanged) 11. iloveyou (Up 2) 19. ashley (Down 3)
3. 12345678 (Unchanged) 12. trustno1 (Down 3) 20. football (Up 5)
4. abc123 (Up 1) 13. 1234567 (Down 6) 21. jesus (New)
5. qwerty (Down 1) 14. sunshine (Up 1) 22. michael (Up 2)
6. monkey (Unchanged) 15. master (Down 1) 23. ninja (New)
7. letmein (Up 1) 16. 123123 (Up 4) 24. mustang (New)
8. dragon (Up 2) 17. welcome (New) 25. password1 (New)
9. 111111 (Up 3)    

Naturally, if you're using any of the passwords above, you should change them immediately. Instead, you'll want to use passwords of at least eight characters or more with mixed alphanumerics, or use short words with spaces (when allowed) or other characters separating them, like "eat cake at 8!" or "car_park_city?”.

Perhaps one of the most important (yet less commonly used) measures to mitigate the risk of being exposed is to never use the same username and password combination for multiple websites. Services such as LastPass or RoboForm can generate random alphanumeric passwords for every site and store them in the cloud so you don’t have to remember them, while programs such as KeePass can safely store them locally.




User Comments: 13

Got something to say? Post a comment
VitalyT VitalyT said:

One I saw in too many places was: Pa$$w0rd

1 person liked this | Guest said:

I have 3 main passwords that I use. All of which are around 12-15 characters.

I really hate when websites force me to add numbers and capitulations...Its pointless because most people capitalize the first letter and put a one at the end.

Archean Archean, TechSpot Paladin, said:

Funniest one I know which was for an email account contained ...... google.

1 person liked this |
Staff
Jesse Jesse said:

I have 3 main passwords that I use. All of which are around 12-15 characters.

I really hate when websites force me to add numbers and capitulations...Its pointless because most people capitalize the first letter and put a one at the end.

I don't think you have a good grasp on password security. You are breaking most of the rules aside from length. These are commonly agreed upon best practices for password security and are not pointless.

Guest said:

Darn they stole my password list ;)

People should just use a password application, there are a ton of free ones that make things easy and secure.

Gareis Gareis said:

I have 3 main passwords that I use. All of which are around 12-15 characters.

I really hate when websites force me to add numbers and capitulations...Its pointless because most people capitalize the first letter and put a one at the end.

I don't think you have a good grasp on password security. You are breaking most of the rules aside from length. These are commonly agreed upon best practices for password security and are not pointless.

ikesmasher said:

Oh crap, I gotta change my password from monkey, ive been caught...

/sarcasm.

if you arent gonna do caps or numbers, at least make it a reasonably specific password.

1 person liked this | Timonius Timonius said:

Ok, I know choosing strong passwords are good and making sure username and passwords vary out there. The higher end security needs REALLY need some sort of two factor authentication or better. For example some MMO's have an optional security key, some e-mail systems allow the addition of a cell phone key to tighten security, etc. My bank does not even offer this option. At this point these are all optional but in the future could be used to secure ones privacy.

Also, I do write some of my passwords down and keep them in safe places or it is written down without a clue as to what username or website or program it belongs to. They are usually randomly generated gibberish using alpha-numeric, caps and symbols exceeding 16 chars. What do some of you do?

1 person liked this | Emin3nce said:

I have to admit, I hate it when websites don't let me use special characters. For instance, one of my old instance passwords was $0wh@t<You?G0nnNnnad()@bout[iT] ... When we upgraded to a new host, their archaic UI wouldn't allow it...

If you can't figure out how to program scrubs on special characters / strings in a password field, then don't f'ing code.

Guest said:

Working in a cubicled office environment I used to use a password made from a portion of the title of a book that sat in a certain location on a shelf behind my desk. I eventually had to use a different method as the books were popular reads among my co-workers and I'd lose track of the darned book.

achromicia said:

I have to say here that if companies can collate a list of passwords most commonly used, it makes me worry that a lot of websites aren't using salted password hashes...

Darth Shiv Darth Shiv said:

I have 3 main passwords that I use. All of which are around 12-15 characters.

I really hate when websites force me to add numbers and capitulations...Its pointless because most people capitalize the first letter and put a one at the end.

I don't think you have a good grasp on password security. You are breaking most of the rules aside from length. These are commonly agreed upon best practices for password security and are not pointless.

Actually some of those rules are pointless. Capitalisation requires shift key press which could instead be used for additional characters in your password. Numbers, sure they can extend the keyspace you are using but decent password length is much more effective.

If you use 8 characters, upper/lowercase plus numerical digits, you have 62^8 = 2.18 x 10^14 combinations.

If you use 12 characters, all lowercase, no digits, you have 26^12 = 9.5 x 10^16 combinations.

For online systems, if they used a failed attempt lockout policy like what ATMs use, they would be far more secure.

Guest said:

Put a space with your spacebar in your password.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.