The worst passwords to use online

2 February 2010

Thousands of consumers are leaving themselves at risk from fraud and identity theft because the shortness and simplicity of their online passwords leave them susceptible to basic, brute force password attack.

That’s the conclusion of a new report by data security expert Imperva. It found that a third of people choose passwords made up of six or fewer characters, while 60% opt for passwords from a limited set of alpha-numeric characters.

Nearly 50% of users used names, slang words, dictionary words or trivial passwords such as consecutive digits, or adjacent keyboard keys.

With around 50% of people also using the same (or very similar) password for all the websites they use, there are concerns that they are unwittingly leaving themselves at risk of online fraud.  

The study also revealed the 10 most commonly used passwords.

The most common passwords

Souce: Imperva

Be creative with passwords

Amichai Shulman, chief technical officer at Imperva, urges people to avoid using these common passwords, when using social networking, shopping and online banking sites.

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second - or 17 minutes to break into 1,000 accounts," he adds.

Despite the rise in fraud and people using the internet, the problem of password secrity has changed very little over the past 20 years. Shulman says: "It's time for everyone to take password security seriously; it's an important first step in data security.”

How to ensure your password is secure


* As well as avoiding the 10 most common passwords detailed above, you should also be careful about picking passwords that could be easily obtained by fraudsters - for example, your mother’s maiden name, your home address or the date of your birthday.

* Never use a single word that you might find in the dictionary. Hackers often use an automated program - known as a ‘dictionary attack’ - to attempt the words of the dictionary. Short passwords (less than seven digits long) are particularly vulnerable to dictionary attacks.

* Never use the same password for different accounts.

* Don’t allow your computer to remember your passwords. Even if no one else uses your computer, if it is stolen the thieves will be able to access your private information and even hijack your identity.


* Check how secure your passwords are by using Microsoft’s password checker tool.

* Take advantage of the shift key; use the available characters - such as & or % -  in addition to numbers and capital letters. Mixing different types of characters will make your password much more secure.

* Try to ensure your password is a decent length, say 10 to 16 characters.

* If you struggle to remember even simple passwords, then create a memory device to trigger a password. Phrases tend to be more secure than single words. Choose a sentence from your favourite song, poem or book, but mix it up by creating a password using the first (or even the last) letter from each word.

* Use a different username and password for your online accounts - that way, if one is compromised you can be sure the others are still safe. At the very least, use different passwords for sensitive accounts such as your online banking.

* Change your passwords on a regular basis - experts suggest every 30 days for the most diligent of internet users.

Add new comment