The worst passwords to use online

Last updated: Mar 1st, 2011
Feature by Rebecca Atkinson
21 Comments -
A study has revealed the 10 most commonly used passwords that people should avoid when online. Rebecca Atkinson looks at the dos and don'ts of picking a password.

Thousands of consumers are leaving themselves at risk from fraud and identity theft because the shortness and simplicity of their online passwords leave them susceptible to basic, brute force password attack.

That’s the conclusion of a new report by data security expert Imperva. It found that a third of people choose passwords made up of six or fewer characters, while 60% opt for passwords from a limited set of alpha-numeric characters.

Nearly 50% of users used names, slang words, dictionary words or trivial passwords such as consecutive digits, or adjacent keyboard keys.

With around 50% of people also using the same (or very similar) password for all the websites they use, there are concerns that they are unwittingly leaving themselves at risk of online fraud. 

The study also revealed the 10 most commonly used passwords.

The most common passwords
123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123

 

Souce: Imperva

Avoid common passwords

Amichai Shulman, chief technical officer at Imperva, urges people to avoid using these common passwords, when using social networking, shopping and online banking sites.

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 17 minutes to break into 1,000 accounts," he adds.

Despite the rise in fraud and people using the internet, the problem of password secrity has changed very little over the past 20 years. Shulman says: "It's time for everyone to take password security seriously; it's an important first step in data security.”

How to ensure your password is secure

DON’T…

As well as avoiding the 10 most common passwords detailed above, you should also be careful about picking passwords that could be easily obtained by fraudsters - for example, your mother’s maiden name, your home address or the date of your birthday.

Never use a single word that you might find in the dictionary. Hackers often use an automated program - known as a ‘dictionary attack’ – to attempt the words of the dictionary. Short passwords (less than seven digits long) are particularly vulnerable to dictionary attacks.

Never use the same password for different accounts.

Don’t allow your computer to remember your passwords. Even if no one else uses your computer, if it is stolen the thieves will be able to access your private information and even hijack your identity.

DO…

Check how secure your passwords are by using Microsoft’s password checker tool.

Take advantage of the shift key; use the available characters - such as & or % -  in addition to numbers and capital letters. Mixing different types of characters will make your password much more secure.

Try to ensure your password is a decent length, say 10 to 16 characters.

If you struggle to remember even simple passwords, then create a memory device to trigger a password. Phrases tend to be more secure than single words. Choose a sentence from your favourite song, poem or book, but mix it up by creating a password using the first (or even the last) letter from each word.

Use a different username and password for your online accounts – that way, if one is compromised you can be sure the others are still safe. At the very least, use different passwords for sensitive accounts such as your online banking.

Change your passwords on a regular basis – experts suggest every 30 days for the most diligent of internet users.

More about

Your Comments

Mad Hatter (not verified):
Fri, 04/03/2011 - 22:06

"Never use the same password for different accounts." You must be joking. I access over 30 web sites that need a password and that number grows all the time. Some of them I use daily or weekly, others I don't log into more than a once or twice a year. It's a nightmare trying to remember which password I have used for which web site. I have a list of 6 passwords that I use all the time. The only way I can remember which password to use is to try them all in turn until one works. Are you seriously suggesting I can remember 30 different passwords?

Mad Hatter (not verified):
Fri, 04/03/2011 - 22:16

Some web sites require a minimum of 12 characters, others require a maximum of 8. Some accept special characters, some don't. There are even discrepencies with using special characters - some sites will accept full stop, others will not. Some will accept dollar sign some will not.

It's high time there was an international standard for passwords.

rjrchorlton (not verified):
Tue, 08/03/2011 - 15:02

I have a little notebook, hidden in my study, in which I write down complex and random passwords that have no identifiable meaning.

the risk of burglary and having the passwords discovered is infinitesibly less than having it hacked.

one extra bonus, if something happened to me, then people looking after my affairs would find it and have troublefree access.

Guest (not verified):
Wed, 30/03/2011 - 14:26

I use a program that generates random passwords, with numbers, letters lower and upper case and symbols and also stores them if I choose to do that. I can also have a password to get into the list of my other passwords, so I only need to remember 1 password to open up my list.

Guest (not verified):
Sat, 02/04/2011 - 10:14

International standard would make hacking much easier

Guest (not verified):
Fri, 08/04/2011 - 13:15

The suggestion that you should change your passwords frequently is a nonsense. This is often trotted out by "experts" for commercial companies, but it only results is lower security as people have to keep writing the passwords down (as they can not remember them).
The research that has been done in the area shows that the most effective security occurs with complex passwords that are easily memorable by the person concerned, but is not deducible by anyone else.

Allan H (not verified):
Sun, 29/05/2011 - 11:31

One annoying thing is when they ask you to think of a password and after you enter it ONLY THEN do they tell you that it must have at least six letters and at least two digits and a mixture of upper case and lower case.

Guest (not verified):
Sat, 25/06/2011 - 15:12

is it any safer to use finger recognition to gain access to secure sites?

Guest (not verified):
Tue, 28/06/2011 - 23:19

always use a secure site i.e. something with a padlock symbol at least you have some protection if it is hacked you have some backup if it is reputable web address

Guest (not verified):
Sat, 23/07/2011 - 10:51

I agree with rjrchorlton. A manual record of passwords is about the only way to keep things safe. To be absolutely safe I record any new passwords in an old diary and then transfer them to another indexed book ( old address book )so that I can easily look up a password for a particular site. So if I lose one book I have a back up. Anything on a computer or the internet is unsafe.

Guest (not verified):
Fri, 05/08/2011 - 13:30

International laws should be enacted to strongly increase the penalties for cyber-criminals and make them work for the community until they have paid for their transgressions, cynical swines.

vitus:
Tue, 06/09/2011 - 17:54

Hi . I use One 8 letterword interspersed with differend nos.

for all my programs . I use memorable info. written down in an old diary , I have written down 5 different memorable dates , but only one is real . I have come across the problem , when I use the wrong one three times my bank account was shut down , I had to go to the rigmarole of setting all up again . Regards V.Vogl

JayZS (not verified):
Mon, 03/10/2011 - 18:35

One thing that is worrying is the number of fraudulent sites that use a very similar web address to a genuine one. They might for instance use www.halifaz .com rather than halifax.com, relying on you to mistype a web address, and then to put your password and account number into their false site.
It is then easy for them to access your account.as they have harvested your password.
Make sure that any critical sites are CORRECTLY saved in your favourites, and always use them rather than typing in the full address yourself.

sydney bishop (not verified):
Mon, 10/10/2011 - 16:46

To solve the problem of using different passwords for different websites, work out a scheme that enables you to reconstruct the password anew each time and so avoid ever having to write them down, e.g., take the first six letters of the website name and then insert in alternate positions a memorable six digit number. That way the 12 digit password will always be unique to each website, yet easily reconstructed, and for added security you can then substitute a top-line character, such as &, for a specified character in the list, say the third one. All you have to do is remember your scheme. E.g., if my memorable number is my sisters birthday, 3 Nov 73, then the password for the moneywise site would be m0&3e1y1w7i3. If you have to have two passwords for the same organisation such as two accounts at the same bank its not difficult to think up a variation to deal with that. Every so often you change the scheme, and that will then re-define all the passwords which you can change on your next visit to each site. A good scheme cannot be guessed by a hacker, and yet is easily remembered by you, and if the scheme is written down it can itself be written cryptically in a way that reminds you how it works without actually explaining it. After a bit of practice it becomes a quick and easy way to safeguard your passwords.

Guest (not verified):
Mon, 17/10/2011 - 11:23

trouble with special symbols is not all keyboards are the same, for example try typing a password that has the pound symbol using a US keyboard - no can do as it isn't there

Guest (not verified):
Mon, 31/10/2011 - 17:54

A good password technique is to take a line from a song (or play or poem) (not the first line or the title) and use the first, second, last letter from each word.

eg: "love was in her eyes the night before"
yields

lwihetnb
oaneyhie
esnrsete

All hard to guess but very easy to remember loads of them.

shackleton (not verified):
Fri, 11/11/2011 - 18:42

The idea of using letters from the line of a song is a good one except you are limited to alpha characters without number or special characters. A computer using a massive sledgehammer technique will find this easier than if other characters are included so using the example from the last contribution

eg: "love was in her eyes the night before"
yields

lwihetnb

why not replacve the l with a 1 (figure 1) or if there was an o in it replace that with a 0 (zero) Replace s with 5.

The special symbols on foreign keyboards can be accessed by the left or right al key.

For example the euro symbol is accessed by my British keyboard by poressing the right ALT key and 4 to give €

None of this helps when you want to change the password every thirty days as recommended. I think we are really waiting for a technological step forward to give us secure computers.

Kartik:
Sun, 08/04/2012 - 20:41

Nice suggestions. Often people neglect this simple tips and pay through nose at the end. In virtual world no one knows anyone. The only thing matters is your personal identification data provided by you. So your data must be well protected. And this can be done by creating a strong password.
<a href="http://www.clickstudios.com.au/">enterprise password management</a>

ceeforcat:
Wed, 28/11/2012 - 15:59

I'm really surprised that there's no mention anywhere on your site - unless it's hidden somewhere and doesn't want to be revealed as a  search result :) - of Trusteer. I was offered this by my bank and I've found it invaluable in protecting my passwords and redirecting my seraches if I inadvertently go to a site which isn't genuine, I get a weekly report on all the activity where the program has protected me and I wouldn't be without it for the world.

pilotnick:
Thu, 06/12/2012 - 01:14

The only solution is to use a password manager that will generate and store strong, unique passwords for all your logins. I have just started using the new web based password manager from www.kemesa.com It secures my data by encrypting my passwords and has Two factor Authentication to access my account. It also allows me to generate virtual email addresses for each account to control spam and viruses - COOL!

VagueShot:
Sat, 08/06/2013 - 08:11

i was brought up in London and still remember some of the old London numbers like Whitehall 1212, which was Scotland Yard for the Metropolitan Police. They make excellent passwords and we can remember a few numbers like this. For example, I can remember the phone number of the first place I worked. I don't use that one as a password, as my blog tells tales of that job. But who wlould know my long dead aunt's phone number?
A lot of car registration numbers make good passwords too.  I suspect, we all remember that for our first car.