Worst passwords of 2011
November 18th, 2011 by David Bradley >> 5 Comments
The phrase is trending on Twitter simply because SplashData put out a press release warning people not to use some of the incredibly common and inane passwords they found in lists of stolen passwords posted online. The likes of Mashable chew over this kind of press release ad nauseum and regurgitate them with their own spin. Fair enough. It’s standard journalistic fodder. More to the point, the 25 worst passwords of 2011 (so far) are incredibly bad and if you use them and someone tries to crack your password your account could be broken into very quickly.
Here’s the list: 1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine 16. ashley 17. bailey 18. passw0rd 19. shadow 20. 123123 21. 654321 22. superman 23. qazwsx 24. michael 25. football
Do not, I repeat do not use those passwords, they are standard entries in the dictionaries crackers and hackers use in bruteforce attacks but are also the ones anyone could guess and would try given the chance to break into an account.
So, what password should you use. Funnily enough, it doesn’t actually matter as long as it’s long. 5, 6, 7, 8 characters isn’t enough. 16 is a good start, 20 would be better. The key is that you don’t use a word that is in the dictionary, but that doesn’t mean you have to create some complex random string like this: “zc!#oT$88wgDSapeO6G!” which you will find difficulty remembering. As I’ve mentioned before you just have to have a long character string. Pick four or five random words and concatenate them. E.g. “concatenationrandomballoontesting”. A string like that is definitely not in any dictionary and you could learn it without too much trouble.
Perhaps even more bizarrely though, a password like this “tortoise!!!!!!!!!!!!!!!” is also not likely to be in any dictionary and is similarly long and so would take a very, very, very long time for even a bot net to test. Of course, you shouldn’t use any of the examples I’ve given or necessarily even use the format, but hopefully you get the picture. When it comes to passwords, size matters.
Related articles
- 25 Worst Passwords of 2011 [STUDY] (mashable.com)
"Deceived Wisdom: Why What You Thought Was Right Is Wrong" from David Bradley. Available now on 
Leave a comment ↓
Jon // Nov 18, 2011 at 9:03 am
Without meaning to cross-pollinate your online endeavours too much… how would a memorable but relatively uncommon word like bromochlorofluoromethane do as a password? Do password dictionaries use Sigma Aldrich or ChemSpider as a base?
David Bradley // Nov 18, 2011 at 10:41 am
Put it this way, if you were hoping to hack the account of…ooh, let’s say a representative of the Royal Society of Chemistry…what dictionaries would you use in your bruteforce attack?
David Bradley // Nov 18, 2011 at 10:43 am
There are databases of password dictionaries, it would be safe to assume that someone somewhere will have thought to leach PubChem, ChemSpider, Aldrich, etc etc. I wrote about creating memorable passwords using chemicals a while back by converting a name into its Inchi or SMILES code and tweaking it – http://www.sciencetext.com/passwords-for-scientists.html
David Bradley // Nov 18, 2011 at 10:46 am
The worst thing to do is to let anyone know what scheme you use. So, when I said string together four or five random words, I may have forgot to mention that I capitalise all the letters at a prime number position, or add some memorable random string of alphanumerics to the start or whatever…
bROmOcHlorOfLuorOmEthaNe might then be okay or better still 20bROmOcHlorOfLuorOmEthaNe01
Fisica Interessante // Nov 18, 2011 at 4:12 pm
“prime number position” wow. That’s great.
I use a big string too. I apologise for not disclosing my system here but I think it’s safe to tell that it mixes two idioms.