The top 10 awfully bad passwords people use

Many end users don't understand the need for good passwords, report shows

You might think that after nearly two decades of data breaches, identity theft and other online risks, your average end user would understand by now the importance of creating strong passwords and protecting them.

You would be wrong.

Data security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called, and  published a report of the findings earlier this year – including the 10 most-commonly used passwords, all of them terrible.

They are:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

Entry No. 7, "rockyou," is the name of the Web site for which the users created the password. Their and passwords are probably "amazon" and "audible," respectively.

Nearly half of the users created easily guessable passwords, including names, dictionary words and strings of consecutive numbers, according to the report. The most common password found was "123456."

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyberattacks: With only minimal effort, a hacker can gain access to one new account every second — or 1,000 accounts every 17 minutes," said Amichai Shulman, Imperva's chief technology officer, in a written statement that accompanied the release of the findings. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine."

Download the full report.



About the Author

Technology journalist Michael Hardy is a former FCW editor.

inside gcn

  • analytics (Wright Studio/

    3 data strategies to help crackdown on internal corruption

Reader Comments

Tue, Aug 17, 2010 Tom

I feel your pain. I have been a vitim of ID Theft for the last 7 years. I was able to turn my information against him and catch him thru the social security admin. office, only to see this guy get deported and doing it to me all over again. I hate to say it, but it will take someone to target these people who don't seem to care. It has to be a problem for them, to get any thing changed. Right now, it's just not.

Mon, May 17, 2010

To the very lengthy comment about smart card authenication. If you think that the Chinese haven't cracked these your wrong.

Mon, May 17, 2010 Christine

Quite a while ago i used a couple of systems that had no limit on the number of characters and no requirements for upper/lower/characters etc. My paswword was along the lines of "johnsmithwasmyfirstkissandhewasreallybadatitilltellya" another was "janejoneswasabigolemeanieinkindergartenandihopeshegetscooties" the "cheat sheet" included a drawing of lips and a drawing of cooties. NOW i have 17 passwords for work that need to be changed every 30 or 60 days, and i'm too darn old and foggy to remember my own code system so they are on an index card in my purse.

Mon, May 17, 2010 Robert B Marshall CISM CISA New York

I am annoyed that so many will never wake up to current need to stop depending on old authentication methods to verify entry of a person into a system. This is as bad as every phone company (cellphones especially) to depend on last 4 digits of your SSN and your address for identifying that they are talking to you. How stupid do these execs think that the common criminal is? Also, have they no care for the unemployed trying to gain back their reputation after an identity attack. I have been hacked into 9 times, and have worked full time on only keeping a$$#013$ off my machine. I need a job!! I don't have time for people hacking me in circles like a shell game all day. Nobody cares whether I eat a balanced meal or die, but I wish executives would own up to their security responsibilities and have their organizations stop relying on information readily available from a zillion sources. Once any of your info is in the wild, it is FOREVER in the wild, so that cannot be used as a id verifier. Executives of corporations should ensure that employees', managers', and customers' lives and integrity are maintained in a guaranteed no errors state. I bet you that if an identity mistake cost the executives $1 million from their astro salaries, they would gladly contribute to $300 Billion to reduce the $1 Trillion in Internet losses in 2009 alone. By the way that is my estimate of the costs it would take for every person to have a Secure-ID card. Yeah - some complain of the minor problems that the system is not yet perfect, but at least it is not a collection of data that you cannot recall back (excuse me, but could you keep my fingerprints with the City & State Police, FBI and State Department only please).

Fri, May 14, 2010 mugg

Wow, the comment above seems to be almost longer than the article. PasswordSafe rocks. Sysadmins should know better, and users almost should. Rainbow tables are powerful, so pass policies are required (lockouts, etc) and longer than 9 char is a must.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group