The Most Commonly Used Password Was …

… yeah, you guessed it: “PASSWORD.” That’s been the winner for a couple years straight, but this year, computer users got wise and upgraded to a foolproof system with an uncrackable password.

That would be “123456.”

People, people, people … you need to stop doing this.

SplashData’s top 25 password list was compiled from data leaked to the net by hackers.

You don’t need to get all clever with passwords to make them better, with a lot of exotic characters and random numbers. Three objects or names that are loosely associated in your mind (but not necessarily in most minds) will work fine, like HUEYDEWIELOUIE or FATHERSONHOLYSPIRIT, but not that obvious. You can also build passwords based on loose associations, such as TOKILLAMOCKINGBIRD for Twitter, but not that obvious. Try to mix it up and add some digits as well. Child and pet names are bad if you have an active social media presence. 

About Thomas L. McDonald

Thomas L. McDonald writes about technology, theology, history, games, and shiny things. Details of his rather uneventful life as a professional writer and magazine editor can be found in the About tab.

  • Roki

    A friend had a great method for keeping all his passwords straight. He’d start with a template password that he could easily remember, e.g.: Start321End, then he’d stick a reference to the specific use of that password in the middle, e.g., for Faceboook, the password became Start321FBEnd, or for his bank it would become Start321BankEnd. This allowed him to maintain unique and strong passwords for all his different accounts/applications/whatever, while still keeping it easy to remember.

  • SDG

    “You can also build passwords based on associations, such as TOKILLAMOCKINGBIRD for Twitter, but not that obvious.”

    This is like my method, but I take it a step further: I think “Twitter → bird → movie with bird in title → TO KILL A MOCKINGBIRD → memorable quotation from TO KILL A MOCKINGBIRD, e.g., “In the name of God believe Tom Robinson.” Yes, I would use that whole phrase (with numberic/special character addenda) as my password. (My actual Twitter association is not TO KILL A MOCKINGBIRD. No one but me could possibly guess it. And I’ll never forget it. My rule is it has to be an association rooted in some firm landmark in my life history. So, not my favorite movie from last year, or my favorite song right now.)

  • Linebyline

    If you thought of it, someone else will too. Hackers are smart. And they can team up together to create huge lists of pop culture references, memorable movie quotations, and the like. From what I’ve read, the only way to be secure is to generate your passwords randomly. (Tip: People are *terrible* at generating randomness. Use a computer or some dice or something.)

    Okay, a password like “G^B=5v?4}@$P4.mZ=X5k” might not be particularly easy to remember, but if you can memorize *one* of them, you can use it as a master password for a password manager that will remember all the rest for you. I just have a plain text file in a TrueCrypt volume, but I’ve heard good things about KeePass if you want something with actual password-management features. (It will even generate long, random passwords for you.)

    You could also go the Correct Horse Battery Staple route (see, and generate a passphrase containing five or so randomly-selected words. The idea is that it’s relatively easy to *create* a loose association in your mind between the random words to help you remember.

  • Linebyline

    Never do this. All it takes is someone with a lick of common sense to crack one password, and he can easily guess all the others.

    The same applies to people who get around enforced password changes by tacking on a number or something: If the password is Start321JanEnd and it doesn’t work starting in February, well, you do the math.

    If you have more passwords than you can remember, try something like KeePass.

  • Thomas L. McDonald

    Never do which?

  • Thomas L. McDonald

    The random generation thing is no good at all.

    The three words is a version of the XKCD idea. Random characters are bad, though.

  • Linebyline

    Never use one base password with one portion that differs in some way depending on the site, the date, etc. If you lose one, you lose them all, because it’s really easy for an attacker to guess them.

    Let’s say you’re an attacker and you find out that someone has CorrectHorseBatteryFacebookStaple for a Facebook password. Can you tell me your victim’s Twitter password?

  • Thomas L. McDonald

    It’s not ideal, but it depends upon the use. The 3 words (or 4) with imagery/associations is better than a stock pattern with variations, but that depends on both the stock pattern and the variation. You’re also assuming someone is actively trying to crack an individual password or group of passwords from a single person. This does, of course, happen, particularly for people in the public eye, but serious password breaches tend to come through automated brute force or by mass theft.

    And if a password can’t be remembered when needed, it’s more likely the average person will change it to a less secure password rather than going to a password safe or log system. User psychology for the largest percentage of users–not the wonks or IT guys or programmers–is an important factor.

  • Linebyline

    That’s true. Most people probably won’t be subject to targeted attacks.

    However, part of the threat of mass theft is that the attacker can then take those passwords and try them other places. (Or publish them so someone else can do so.) A stolen password database would have usernames and e-mail addresses in it, so it wouldn’t be that hard to match them up.

    This is why standard advice is to use different passwords for every site. (It’s also why developers can’t get away with using the low value of their application as an excuse to skimp on the password security.)

    If your “different password” for each site is just the same password with the name of the site stuck in there somewhere, then you’ve defeated the whole purpose. I guess it’s still marginally better than just reusing the password, but it’s still too big a risk if you ask me.

    You’re right about psychology, too. Passphrases are a partial solution since they can be randomly generated and still make some sense to a normal person. The only real solution is for a password manager to get so easy to use that people will prefer it to a post-it. Being able to sync a KeePass database to a dropbox or other cloud storage is a start, but we’re not there yet. Mobile is especially tricky. I don’t think you can copy-paste into the iOS app store’s password prompt, for instance.

  • Linebyline

    I wonder, though: If the part that was swapped out was *not* easily guessable, that might be enough of a solution. For instance, say your base password was CorrectHorseBatteryStaple, and instead of CorrectHorseBatteryStapleTwitter and CorrectHorseBatteryStapleFacebook, you used CorrectHorseBatteryStapleMuffin and CorrectHorseBatteryStapleIrishman.
    That wouldn’t be as good as unique passwords across sites, but even if the attacker knew you were doing it, he’d still have to run a dictionary attack to get that last word rather than just being able to plug in something obvious.

    I wouldn’t go so far as to say “Yeah, that’s a good idea, let’s do that!” But it might be enough of an improvement for people to get by. I’d run it past someone more knowledgeable than myself before trying it, though.

  • Linebyline

    It’s not so much that randomness is bad. It’s just that the short random password, while plenty hard to remember, isn’t long enough to be secure.

    Randomness is really the *only* thing, as far as I know, that makes a password secure. After all, the point of a password is that nobody else knows it. The more someone else knows or can guess about the password, the less effective it is. For instance, the FAQ linked from the Lifehacker article makes a big deal out of the spaces being “special characters” but ignores the fact that putting spaces between words is something fairly obvious. (If you can guess the words, you can try them with and without spaces. Also hyphens, underscores, even CamelCase.) Like I said before, hackers are smart. If there’s a pattern, sooner or later they’ll guess it. As far as I know, the only way to avoid patterns is to generate passwords randomly.

    I can certainly vouch for random characters being harder to remember than random passphrases from personal experience. I don’t blame anyone who doesn’t want to bother.

    Further reading: for more on the xkcd method (others have posted good links there), for more on passwords vs. passphrases, and to generate passphrases. (DuckDuckGo actually does the generation, but it’s still a search engine, so you’ll see other resources, too.

  • Roki

    I am curious about what kind of threat we’re facing. Can I apply the bear-and-tennis-shoes logic? (I don’t have to have an absolutely unbreakable password; I just need to be more unbreakable than the next guy.) Or is each attack a unique iteration, for which I need to maximize my security?

    Or, to put it another way, is there any real benefit to having a password better than 123456 but not as good as a string of 44 random characters?

    I’m not attempting to critique here; I’m genuinely curious about the kind and degree of security I should use.

  • Thomas L. McDonald

    It depends on who you are and what you’re protection. You’re bank account should be bulletproof. Your Netflix account? Maybe not as big a deal. In any case, the best password is the one you can remember, unless you plan to us logs or password software, both of which have their own issues.