The worst passwords to use online

password login

Thousands of consumers are leaving themselves at risk from fraud and identity theft because the shortness and simplicity of their online passwords leave them susceptible to basic, brute force password attack.

That’s the conclusion of a new report by data security expert Imperva. It found that a third of people choose passwords made up of six or fewer characters, while 60% opt for passwords from a limited set of alpha-numeric characters.

Nearly 50% of users used names, slang words, dictionary words or trivial passwords such as consecutive digits, or adjacent keyboard keys.

With around 50% of people also using the same (or very similar) password for all the websites they use, there are concerns that they are unwittingly leaving themselves at risk of online fraud.  

The study also revealed the 10 most commonly used passwords.

The most common passwords

Souce: Imperva

Be creative with passwords

Amichai Shulman, chief technical officer at Imperva, urges people to avoid using these common passwords, when using social networking, shopping and online banking sites.

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 17 minutes to break into 1,000 accounts," he adds.

Despite the rise in fraud and people using the internet, the problem of password secrity has changed very little over the past 20 years. Shulman says: "It's time for everyone to take password security seriously; it's an important first step in data security.”

How to ensure your password is secure


* As well as avoiding the 10 most common passwords detailed above, you should also be careful about picking passwords that could be easily obtained by fraudsters - for example, your mother’s maiden name, your home address or the date of your birthday.

* Never use a single word that you might find in the dictionary. Hackers often use an automated program - known as a ‘dictionary attack’ - to attempt the words of the dictionary. Short passwords (less than seven digits long) are particularly vulnerable to dictionary attacks.

* Never use the same password for different accounts.

* Don’t allow your computer to remember your passwords. Even if no one else uses your computer, if it is stolen the thieves will be able to access your private information and even hijack your identity.


* Check how secure your passwords are by using Microsoft’s password checker tool.

* Take advantage of the shift key; use the available characters - such as & or % -  in addition to numbers and capital letters. Mixing different types of characters will make your password much more secure.

* Try to ensure your password is a decent length, say 10 to 16 characters.

* If you struggle to remember even simple passwords, then create a memory device to trigger a password. Phrases tend to be more secure than single words. Choose a sentence from your favourite song, poem or book, but mix it up by creating a password using the first (or even the last) letter from each word.

* Use a different username and password for your online accounts - that way, if one is compromised you can be sure the others are still safe. At the very least, use different passwords for sensitive accounts such as your online banking.

* Change your passwords on a regular basis - experts suggest every 30 days for the most diligent of internet users.

More about

Your Comments


This advice is all very well, but how are you expected to remember all the different email addresses?

I already have problems with some sites that need letters and numbers, others that require caps etc

I know that my passwords is very unlikely to be prone to identity theft because i use a combinaion of Welsh and English together with numerals.

Very timely and helpful. Thanks.

Use KeePass to store all your usernames and passwords securely. Works great for my 300+ passwords. Google it!!

A useful guide

Thanks for the KeePass info, it looks interesting.

Thanks I will consider all these points.

Get yourself a copy of "1 Password" which will create and remember all your secure passwords and prevent you from using them on phishing sites. The software is available for both APPLE OS X and Windows. It is suitable for use on several computers and mobile phones with automatic synchronisation between devices using Dropbox.
I would not be without it.

None of that article has suprised me in the slightest bit, and to me just seems like common sence, for your own safety and protection. Its all well and good having different passwords but can be a nightmare to remember them all, particularly when you come across a websites with certain criteria (such as tfl - oystercard) that requires your password to have numbers, letter upper and lower case.
This KeePass sounds interesting, will have to look into that, but I must admit I would be worried that this could be easily hacked.

One thing not clearly stated is don't use a your pets (past or present) or childrens' names.

I have gone into my friends' accounts because they have done this.

(I have done it in front of them).

It's very easy for people to use social engineering to find out these things.

There are several tools for keeping passwords..
not all are as secure as others

Last is one that is well encrypted and Free
- saves more than just passwords eg address and other answers
- will generate complex secure passwords for you (which it then remembers)
- will show you your passwords it has,. in case you forget
- If you foget your master password.. it will send you a 1 time use extra one to unlock the lastpass (so you need a email account that you dont use for much.. but has a memorable password.. to go collect it)

Also can be used on iPhone etc if you use the optional paid for version.

As usual with these regular bits of advice there is never any advice on the practical issue, ie how to manage hundreds of passwords and associated user names and changing them monthly is a nightmare. I keep mine on a memory stick which is locked away when I dont need to reference it. Presumably that is relatively safe from hacking?

I would never use any of those so-called pass word storage sites. They are just as prone to hacking as any other online account.As for Googling for a storage site, that is just ridiculous, because Google itself is storing YOUR information, and passing it to others, so they can blitz you with 'targetted advertising'. The same person that recommends a storage site admists to having over 300 passwords.Is he at least running a major internationa conglomerate? If he is a private person, that number is something else which is ridiculous.

There is nothing wrong with writing down your passwords , as long as you are sensible about itI do a lot of 'e-business. I have some 30 highly secure passwords written down in a small book, but all my passwords and who they are for, are also coded.Not a single other person has access to any of them

Another thing I always do is to cancel any password tas soon as I can, if I no longer have a use for it. Especially those that had to be set up for just one transaction, such as buying an air ticket, or whatever.

The examples given of stupid passwords are for the benefit of the naive.I can't imagine any sensible person being caught by password theft.

I use the name of the bank translated into the secret language I used in school at the age of ten - highly involved and complicated - so a different password each time!

I've used personal phrase initial letters combined with numbers ever since the TechGuy at work showed me just how frighteningly simple it is to hack into the average password - I hadn't had a particularly obvious one either (PhatKhat18 - no I don't use it anymore, knock yourselves out). he had the advantage of knowing that I owned an obese moggy, but even so, it took him no time at all. he gave me the tips you have given above, with the exception of the characters (eg %, & etc) I change my password regularly now, so I'll bung a few of these in in future. Thanks

write them down, in your own email address book

The biggest problem with online passwords is those sites that impose stupid restrictions on password formats and length. I've lost count of the number of websites that refuse to accept special characters, such as Virgin Media. Many impose an unreasonably short password length, such as 8 characters (to those who have used IBM mainframes in the past, this will come as no surprise). I have complained to the website owners when I find these restrictions but am rarely successful in getting a satisfactory response. The irony is that many of these harp on about ensuring that you choose a strong password! We would, if only you would let us!

Roboform is another good password generator and saves logon info for various sites on your pc, but encrypts them behind a master password. Don't forget, using these also helps avoid fraud if you get infected by a Key Logging program.

Very useful, I'm a comps addict and have around 2000 log ons and passwords saved on it.

One of my main passwords, for a encryption program I use, has a hint word of starcat. The password only has six letters, all lower case and no numbers. It's not in any dictionary. We used to have two Brown Burmese called Crispin and Sable and our daughter has a Torti Tabby called Mash. I wonder if your wonder TechGuy would like a bash at working it out?? It is feline in nature!

I'm running two desktop computers. One for internet work, E-mail, banking and surfing the web etc. Any private information or passwords are stored on the dead one (not on line) not connected to the web. So it takes only some seconds gaining those updated passwords that have been changed frequently.

No need relying on memory for all those site passwords needed when logging into.

How safe can that be, no hackers gaining access onto a dead computer.

All you surfers,

All very well but virtually every site you log on to wants a user name or email address plus password. It is totally unrealistic to think you can have different ones for each, and remember them, without keeping some form of mnemonic record.

Thanks, that cuts down the number of possibilities nicely to two books and a keypad !