Guess who: The 25 worst passwords of 2011

It probably won’t surprise you that the most common password used online is “password,” followed by the ever-popular “123456.” It wouldn’t surprise a hacker trying to steal your personal information, either.

Security company SplashData has published its list of the worst passwords of 2011, compiled from millions of stolen passwords that hackers had posted online, according to Daily Finance.

Use of bad, easily guessed passwords has been a complaint of security experts since the dawn of the Web, but little seems to have changed. “Password” and the numbers 1 through 8 — in varying lengths but always in order — litter the list, along with gems such as “qwerty,” “abc123” and even “111111.”


Related stories:

The top 10 awfully bad passwords people use

One more reason why passwords are no darn good


This year, for some reason, words such as “monkey,” “dragon” and “sunshine” also appear, along with common first names “ashley” and “michael.”

Weak passwords can make life easy for hackers looking to get into your bank records and other sensitive information.

The company recommends that users use passwords of eight characters or more, mixing in letters, numbers and special characters when allowed, separate short words with spaces or underscored and don’t use the same user name and password for multiple websites. But  then everybody knows that. Doing it is another story.

Below are SplashData’s 25 worst password of the year.

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passwOrd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

Reader Comments

Tue, Nov 29, 2011 Lori NorthWestRockies

I find most passwords to be 'Neon Lights' (Here I am. Try to figure me out.) even though they are made up of upper and lowercase letters with numbers or special characters. I use a random password generator, find one I can make a nonsense word or phrase of, and google it. If nothing comes back from google, I assumed it will be fairly safe.

Tue, Nov 29, 2011 Ron

Using any website or harddrive location just gives hackers one place to look. Using two IronKeys (one to carry and one for safe, safety deposit box, etc.) is the only safe way I am aware of.

Tue, Nov 29, 2011 Bill Boston

Donovan in Nashville and anon. - Excellent solution. I use a password manager at home, but they are forbidden at work. Thus biometrics or...something.

Tue, Nov 29, 2011 Ed Cleveland

We had the requirement to go to a 12 character minimum from 8 characters. Many folks thought that the users would revolt. I suggested to double their current password and put a space, a character or nothing inbetween. Your fingers have already "memorized" the current password. It's easy to type it twice.

Mon, Nov 28, 2011 SoutheastUS

addendum to Nov 18 comment: one could probably successfully use anglicized spellings of Toltec, Aztec, Mayan, or Incan names. Also, Inuit names might be useful. Delve back into history and resurrect the names of Mohicans, even. Or go way back and use names of obscure priests in the Egyptian dynasties. Throw in a little calendar date offsetting to really confuse things and you might have a strong password. As for biometrics - register all ten (if the user still has all ten) fingerprints and accept login only on successful recognition of at least three. Might have to use toes or neck wrinkles or some other unique epidermal landscape for para- quadra-plegics. (Remember Section 508?)

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above