By Craig Buckler

The Worst Passwords of 2011

By Craig Buckler

Are you still using “password” to protect access to your vital administration systems? Of course not but, according to software security company SplashData, it’s still at #1 in the dumb password chart. Here’s the “top” 25 compiled from lists of stolen passwords posted online:

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

If your password’s on this list, perhaps it’s time to reconsider your security.

But, before we start sneering at user stupidity, are we partly to blame? Nearly every web application we create requires a password and they contribute to the problem. Despite the rise of OAuth and similar solutions, even infrequent web users probably require a dozen passwords for different sites. It doesn’t matter how much advice or education we give: people will always choose the easy option and select a simple password they can remember.


Overly-Complex Password Policies

Some systems attempt to solve the bad password problem by implementing certain lengths, requiring at least one number and making users change their password every few days. The worst examples limit the number of characters and don’t permit unusual characters such as punctuation. Effectively, they’re handing hackers a password “template” … and they rarely prevent people choosing “password01”, “password02”, etc.

Passive Security Education

With the possible exception of minimum-length passwords for financial and government services, users should generally be permitted to enter what they like. Good systems will encrypt passwords so there’s no reason to limit the string length or the characters which can be entered.

Red-amber-green indicators for weak passwords are generally good, although it’s fairly abstract and I’ve seen many users ignore the warning. Perhaps a more informative alternative could highlight the consequences of a poor password, e.g.

A hacker could access your account in 3 seconds.

Unfortunately, passwords remain our best option for web security. Unless someone knows of a better fool-proof alternative?

  • I don’t know if you follow XKCD but the guy posted, as a cartoon, a very interesting way of thinking and generating passwords which makes a lot of sense (when the system does not require don’t overly complex rules).

    Worth reading and much easier to remember.

  • Andrea

    There are a lot of dumb Ashleys, Baileys, and Michaels out there.

  • Helen Natasha Moore

    Excellent example of useful feedback to visitors, Craig:
    “A hacker could access your account in 3 seconds.”
    Like, like :-)

  • I love the example: “A hacker could access your account in 3 seconds.” Does anyone know of a solution out there that already does this? That would make a great WordPress plugin.

    • I haven’t seen a solution to do it, but it shouldn’t be too difficult to create the code with existing algorithms. I’ll take a look into it but someone’s certain to beat me to it!

      • Here is a great example

        It will tell you how long it would take, why, and if your password is in the top #. One common password I used was hacked in 8 seconds, because it is too short. Another was 57 days.

        Another issue as developers is to make sure we salt whatever password systems we create. Without that, just about any password can be hacked instantly using rainbow tables, a simple search on Google.

  • Craig, my friend, are you pushing a biometric solution to web security ;)

    Real good to see you try to open eyes about the matter instead of just being rude and make fun. I certainly do like your approach.

  • Right! THere are 5-6 password that i’m still using :-).
    One is missing: “admin”

  • Thom Parkin

    My password is NOT on that list.
    It is ************ {that’s what always displays as I type it}

    • Anonymous

      hahahhahah funny

  • That’s something I was discussing with a friend recently — cPanel’s auto-generated fixed length passwords basically built from chr(random(95)+32), and I was saying that those were in fact less secure than a simple natural language sentence.

    1) fixed length passwords suck — because it limits the possible values to a shorter list.

    2) you’ll never remember it, so you’re going to keep a copy SOMEWHERE.

    The latter is an increasing problem — boiling down to social engineering. The most complex password generating scheme is useless if the user keeps it in their wallet, under the keyboard, or worse, on a sticky-note on the monitor… or even in a password manager like those built into browsers.

    Which is why “Your mother was a hamster” is many times more secure than “!DG$As4^gn,mIlaP;$z” — it’s even harder to brute force…

    • I still can’t understand why anyone writing a login system would choose to fix password lengths and reduce the choice of “valid” characters. You may want to limit incoming data, but a few hundred characters is more than enough and, since the string should be encrypted or hashed in some way, there shouldn’t be any database storage issues.

  • Chris Emerson

    I use 20+ character, randomly generated passwords, all stored in a password manager with a similar password that I have memorised. Easy!

    • Jay Kano

      Well can anybody suggest a list of password managing software.


    • Assuming you always have access to that password manager and never lose its data!

      • Chris Emerson

        It’s in my Dropbox (accessible on my Phone as well), and is part of my Online Backup, so yes.

        I use KeePass.

  • Jenna

    I know I have used password, pass, monkey, admin and superman as starter passwords before coming up with something more complex–usually a phrase in LEET.

    Also, I use spiderman and poop a lot.

  • Robert Dewar


    That looks like an incredibly weak and unsafe way to generate a
    password to me!

  • Robert Dewar

    What we do at our company (AdaCore) is to have a very fast machine busy 24 hours a day trying to crack everyone’s password. If it succeeds, you get notified and then you change your password!

  • damn fool peoples take simple passwords and after shout “My account is hacked by someone”

  • Jack Merridew

    I make passwords that only have any significance to me. A lot of them aren’t real words. I’ve never been hacked. Really, all you have to do is come up with some random, easy to remember words, and never write them down. Make two of them together your password.

  • An up-to-date “Top 1000 Passwords” with zoomable PDF file to illustrate the passwords.

Get the latest in PHP, once a week, for free.