Secure login

The 25 worst passwords of 2012, and easy ways to avoid them

Bad passwords never die -- in fact, they don’t even fade away.

SplashData just released its annual list of the most common passwords stolen and posted by hackers, and if the list has a familiar look, it’s because most of the same passwords have appeared on past lists. In fact, this year’s top three -- "password," "123456," and "12345678" -- also finished one-two-three on SplashData’s 2011 list.

The passwords below are not only the most common, they are also virtually useless at protecting an account. They’re likely the first passwords a hacker would try when breaking in. As SplashData noted in announcing the list, “Users of any of these passwords are the most likely to be victims in future breaches.”

The 2012 list, drawn from millions posted online, compared with where each password stood on the 2011 list:

1. password  (unchanged from 2011)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up 1)
5. qwerty (down 1)
6.  monkey  (unchanged)
7.  letmein  (up 1)
8.  dragon  (up 2)
9. 111111 (up 3)
10. baseball  (up 1)
11. iloveyou  (up 2)
12. trustno1 (down 3)
13. 1234567 (down 6)
14. sunshine (up 1)
15. master (down 1)
16. 123123 (up 4)
17. welcome  (new)
18. shadow (up 1)
19. ashley (down 3)
20. football (up 5)
21. jesus (new)
22. michael (up 2)
23. ninja  (new)
24. mustang (new)
25. password1 (new)

Of course, many public-sector agencies wouldn’t allow these kinds of passwords, because they often require longer passwords and minimum use of upper- and lower-case letters and special characters. And two-factor authentication provides another level of protection to agency systems.

But employees sometimes do access outside sites from work, which could at least open them up to phishing attacks on their agency e-mail addresses. In an attack in March on a military dating site, for instance, hackers were able to crack weak passwords belonging to users with military e-mail addresses.

Maintaining a set of strong passwords for network systems and websites is a pain for users, but SplashData recommends a few ways to make it easier, such as mixing in different types of characters and even using simple, easily remembered phrases separated by spaces, underscores or other characters. Two examples: “eat cake at 8!” and “car_park_city?”

Password management applications also can help users keep track of their passwords and avoid using the same password for multiple sites, which is another bad practice, especially when mixing, say, entertainment and social networking sites with financial services, SplashData said.

One other trick: If you use a password that appears on the list, change it.

And as easy as it is to blame users, sites that allow weak passwords — some on the list consist of five or six lower case letters — are culpable too. People will take the path of least resistance, especially if they don’t think of themselves as a target. Sites that want to protect users could require a little more rigor.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.