Monday, December 3, 2012

2012's most popular crummy passwords

The hacktivist group Anonymous has released the 25 most popular crummy passwords from the sites they've hacked.  Reading the list is really rather depressing:
  1. password (unchanged)
  2. 123456 (unchanged)
  3. 12345678 (unchanged)
  4. abc123 (up one)
  5. qwerty (down one)
  6. monkey (unchanged)
  7. letmein (up one)
  8. dragon (up two)
  9. 111111 (up three)
  10. baseball (up one)
  11. iloveyou (up two)
  12. trustno1 (down three)
  13. 1234567 (down six)
  14. sunshine (up one)
  15. master (down one)
  16. 123123 (up four)
  17. welcome (new entry!)
  18. shadow (up one)
  19. ashley (down three)
  20. football (up five)
  21. jesus (new entry!)
  22. michael (up two)
  23. ninja (new entry!)
  24. mustang (new entry!)
  25. password1 (new entry!)
The parenthetical comments say how this particular l4M3 password changed from last year's list.  But srlsy - the top lame password is "password"?  And "123456" - now where have I heard that before?

Needless to say, if you have any of these as your password, change it tout suite.  If you have a password that is a word found in a dictionary, change it these are notoriously weak and hackers have been cracking them at will for more than a decade.

The best passwords are hard to guess/easy to remember.  I like passphrases - take the first letter of each word in a sentence>  For example:

Borepatch makes my security extra crazy 1337! becomes "Bmmsec1!" (don't leave off the punctuation character).  Strong password, easy to remember.  Because only an idiot would use "123456" ... although it seems that 37% of the passwords at the Greek Finance Ministry used that.  Opa!


da_truth36 said...

There's a nifty little prog for Linux called apg (automated password generator) I use for all my password needs. Set it for as few or as many characters as you want, pronounceable passwords, all sorts of nifty options. Almost all of my passwords look like this: heic35knagodOp'. Quite naturally I have to keep an encrypted master file on a flash drive in the safe, because who in the world could remember that x100?

Erin Palette said...

Correct horse battery staple.

Borepatch said...

Erin FTW!

Dave H said...

I guess my favorite, "asdfasdf", is safe then?

(No, I've never really used that as a password, but I did get that as a software activation key once.)

Weetabix said...

I changed mine to "incorrect". Now when I get it wrong, the website responds:

"Your password is incorrect."

Tacitus2 said...

I used to favor mild insults to computers specifically or technology generally, with the year as an add on.


and my all time fave:


Nowadays I have to use something tricksier, foreign language words and a letter indicating what site I am at for instance..

DCMachina or E2Denkmal for instance.


Joel said...

Hey, now. Some of us (including me, I do confess) used "password" as a password because we thought the password requirement was stupid. Seriously, a password requirement on a company network occupied by as many temps as full-timers, none of whom had access to anything like secure information, and none of whom would have pissed on the company's building if it were on fire anyway? You want them to be serious about passwords, you better articulate very good reasons. Since that never happened either, yeah. "Password".

For things I actually care about, my password selection is a bit more rigorous.

Anonymous said...

What's up to every one, the contents existing at this web page are in fact amazing for people experience, well, keep up the good work fellows.
Also see my site -

HlynkaCG said...

Does the fact that the spam made it through the filter on this particular post strike anyone else else as ironic?

Borepatch said...

@HlynkaCG, LOL. I was going to delete it, but that would spoil the joke. The spammers can have some linky love as long as they're bringing the plucky comic relief!

Goober said...

I like the trick where you think of a sentence, complete with punctuation, and use the first letter of each word, maintaining capitalization and so forth as dictated by the proper rules of grammar.

It makes for an impossibly difficult to guess password, as well as one which is very easy to remember.

For instance...

"The rain in Spain falls mainly on the plain," said the secret agent.

works up into:


Impossible to guess, and guess what? You've already memorized it.

This one should be easy for any Clint Eastwood fan:


(Do I feel lucky? Well, do you, punk?)

Roy in Nipomo said...

Swordfish. "The Password Is Always Swordfish."

RabidAlien said...

Heh. One of my standard passwords is a string of random letters/numbers. The other one is a word from the Creek language, that does not describe me in ANY fashion. Good luck with that one.

chitown said...

All passwords should be at least 12 characters in length. it would takes about .1 secs to brute a 7 character password with gpu hash.