These Are the 25 Worst Passwords of 2012

If any of your passwords are on this list, then shame on you -- and go change them now.

  • Share
  • Read Later

If any of your passwords are on this list, then shame on you — and go change them now.

SplashData, which makes password-management applications, has released its annual Worst Passwords list compiled from common passwords that are posted by hackers. The top three — “password,” “123456″ and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1″ and “welcome.” Other passwords have moved up and down on the list.

The most surprising addition is probably “welcome.”

“That means people are not even changing default passwords,” SplashData CEO Morgan Slain tells TIME Tech. “It doesn’t take that much time to make a new password.”

You should have different passwords for all your accounts. To make it easier to remember them all, Slain suggests thinking about passwords as “passphrases.” For instance, use a phrase like “dog eats bone” and add underscores, dashes, hyphens and other punctuation marks to satisfy the special-character requirement: “dog_eats_bone!”

(MORE: Two-Minute Video: How to Create Strong Online Passwords)

Here’s the full list:

1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

MORE: The Username-Password System Is Broken: Here Are Some Ideas for Fixing It

36 comments
DonWolf
DonWolf

Thanks for great article, i would guess a lot of these passwords are still on the list in 2013 :)
I like to make my passwords memorable by breaking down some familiar sentence into special symbols (for example: S = $), numbers (example: i = 1), upper and lowercases. For quick password generator i like to use http://www.keyspinner.com.

Cheers,
Don

TechinplainEnglish
TechinplainEnglish

Usernames (not all sites require them, but alot do!) are the worst because they force you to remember a 2ND thing in addition to your password if a site doesn't let you login with your email

PeterG
PeterG

My approach to creating plenty of unique passwords that are deemed strong and still easy to remember is by the following:

1) Make a fixed code that means something to you and would itself be considered a relatively safe password. For example, 3wizeMen. This will go at the start of every password.

2) a) If you are making a password for a site that doesn't contain any important information, then the unique ending code for these sites can be something generic such as login. So your password for all these sites will be 3wizeMenlogin.
    b) For important sites that need their own unique password, your unique ending code can be something simple that describes what the site is for, and it won't compromise the security of the password. So if it's a password for your bank details, simply using bank would suffice. 3wizeMenbank, 3wizeMenmail, etc.

3) a) Avoid using special characters in your fixed code because many sites don't accept them, and it'll ruin the whole point of having a fixed code in the first place if you can't use the same code everywhere. If however, a site does require special characters (I have yet to see any), then you can go ahead and add that into your unique ending code. 
   b) Make sure to have at least one number in your fixed code because many sites do require these.

4) If you are subscribed to a site that requires that you change your password every few months or so, keeping track of all those new passwords can be a nightmare. What I've found is that changing the ending code passes as being a completely new password, so what you'll want to do is keep your fixed code, and only change your ending code each time you're prompted to do so. The new code can either be written down or saved in a file on your computer for easy access, or have something to do with your life at that present time. For example, I recently moved house so my code for this season is house, prior to that it was comp because I have replaced my computer, etc.

Please keep in mind that you should take this advice with a grain of salt. I'm no expert in what hackers look for when trying to break passwords, I'm just your average joe that doesn't have picture perfect memory and still wants to keep safe on the internet. Oh, and I don't know about you, but I don't trust all my passwords being written down and stored in one place like many others have done.

SamJ.Templin
SamJ.Templin

The best thing to do is use a password maanger then clear your web browsers of their stored passwords using a program like CC Cleaner. Most passwords are stolen - not by bruteforce programs but keyloggers installed by viruses. 

Throw a free keyscrambler in the mix and your password could be the easiest to guess on the list - chances are it will never be messed with.  Hacker's aren't interested in filling out 10 million Captcha's when they already have a couple thousand slaves with the information available in plain text.

Dvje
Dvje

Jesus probably won't protect your account. Deal with it.

wrongversion
wrongversion

@hs.seeker  

Please understand what people are talking about before berating them (just asking for a bit of due diligence thanks), and Shawn is right i have over 50 passwords on different sites (im IT) and my life would be a living hell if i didn't have a password manager.

VickieArnold
VickieArnold

Passwords are just words and all the passwords on this list are just words.  What makes them bad?

John
John

There are passwords and there are passwords.

For frivolous sites you don't have to be quite as careful with your passwords. 

For financial sites, however, you need to be more careful.  On those sites I use a 15+ character password.

syzygysb
syzygysb

@ mrxexon.  You got it.  I have so many passwords I cannot remember. Now I have a list of them in my notes,  on my iPod touch, so I can look them up.  As you wrote "major headache."   I tried that "use one word, some numbers and then just tack on letters at end and/or beginning,  to make it easier to recall.  Tuh.  What a freakin mess.    And I know,  I know.  If someone ever finds my Ipod and breaks in past my passcode and . . . I have stopped worrying about it.

Shawn
Shawn

hs.seeker,

No, Regex Password Vault is not a website. It is a password manager that stores your passwords locally, on your own computer. They are stored in an encrypted file on your hard drive. It is probably the most secure way to keep a large number of passwords. Do you have a better way?

hs.seeker
hs.seeker

Gee, Shawn, so you entrust all your passwords as well as security questions and answers to a website? Let's see, that means that anyone who hacks into these sites now have all they need to know to hack into every account you have, including your bank account. Hmmmmmm. Why don't you just send out an open email to every address you can think of and advertise it that way?

Don't think these sites can be hacked? Tell that to the Veterans Administration, Social Security Administration, Bank of America, and lots and lots of other "secure" sites. In fact, didn't I just read a bit a\go that Paypal was hacked?

Shawn, with your security measures, why even bother putting passwords on your accounts?

Shawn
Shawn

I recommend that everyone use a password manager like Regex Password Vault. It will store all your usernames and passwords (or passphrases) so you don't have to remember them. It also makes it easy to use a different password for each website.

A good password manager will have a random password generator, as well as a way to keep track of security questions and answers that websites like to use.

hisfrogness
hisfrogness

Use 20+ character passphrases. This is a better approach because you can remember an entire sentence pretty easily and can use standard words from the dictionary. As someone stated, a computer can go through the dictionary quite easily but arranging 10 words from the dictionary in a row is a much bigger challenge. Separate the words with symbols if you're ultra paranoid. The point is to amass a high amount of characters and also be able to memorize it.

FredFlintstoner
FredFlintstoner

I use your password for mine, that way I can log in to your account or mine using the same password.

Fate/*
Fate/*

i use my name or my birthday and some special word for my password... 

mrxexon
mrxexon

You never use dictionary words. In ANY language. A hacker program can go through that in a few seconds.

You've got to make up gibberish, the longer the better.  Then add numbers and symbols. And then you better write it down, cause you know good and well you won't remember it.

I can't tell you how many times I've worked on computers where the owner didn't write things down and then we have to create new accounts for them for everything they do online. Major headache.

If you're not creative enough yourself, use a password generator like

http://www.pctools.com/guides/password/

Or  

http://strongpasswordgenerator.com/

And WRITE THEM DOWN somewhere.

x

shexbends
shexbends

Unfortunally people cant spell so thay make easy passwords

laser92awd
laser92awd

I've just finished changing all my passwords to "dog_eats_bone!"

hlong69
hlong69

Embrace your inner dyslexic - spell some words backwards.

JackTaylor
JackTaylor

the problem is people are trying to create something they can easily remember. I have a list of 250 situations that require passwords, I keep them on an excel sheet, including files, zips, and protections. I have to refer to my list from time to time. But I've developed a system now to where certain passwords apply to certain categories based on type. So knowing what type of account, site, program or file I'm attempting to open I'll know what type of password I would have used for it. Then within that group or category there are certain password themes I will not stray from when in case some accounts require mandatory periodic updates. I've gotten pretty good at creating/maintaining passwords now, I rarely have to refer to my list.  

adam
adam

There are some incredibly stupid ideas listed below. You just need to be intelligent about your passwords. No 1 word passwords. Don't use a bunch of numbers. These are incredibly easy and fast to crack.

Pick 3 words. They can even mean something to you. For example, say your birthday is Jan 1st. You could seriously use mybirthdayjan1st and it would take a force cracker over 100 years to get that using 1,000 attempts per second. Passwords do NOT need to be complicated. The longer, the better, no matter what you use for it.

hs.seeker
hs.seeker

Instead of English words/phrases, use foreign. It's especially effective if the language you choose is obscure instead of German, French, Spanish, or the like. Also use allowed symbols (*, _, -, etc.) and a mix of upper case, lower case (particularly when these appear in nontraditional places (piNholE)) and numbers.

ericsgibbs
ericsgibbs

romneyhasoneopinion

That's mine, no one will ever type those words ever.

BobForsberg
BobForsberg

The first tablet or phone manufacturer that has a strong retina or thumb print password will rule the industry.

wyatt09419
wyatt09419

I had my steam account hacked and I had a rather complex password my friend called me and asked if I was online because he saw my character in a game... of course I was not on and to this day I can no longer go on to steam where I had paid good money on many games...

cpc65
cpc65

Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!" ~ Spaceballs

wrongversion
wrongversion

@VickieArnold 

What makes them bad are brute force programs for example; that try to guess your password and it starts just with the most common, probably getting some from this list, lol. Just always remember To ad at least one number, one capital letter, and one punctuation if you can, even on sites that don't matter, it will just save you a lot of trouble in the end.

Dvje
Dvje

@edsta212 That's cool. So much people don't use any password, and that's very, very bad.

MADDSGN
MADDSGN

@shexbends You can't spell. Or, you're being ironic. Hopefully you're being ironic.

JackWhite
JackWhite

@ericsgibbs I feel sorry for people who politicize every aspect of their lives. Seriously.