Use any of these passwords and you're likely breaking the basic rules of password selection and maybe leaving your data at risk.
What are the 25 most commonly used passwords? One company has published a list of passwords it claims are very common.
The list is a good example of the types of passwords you should not use. That's not surprising, because the list comes from a company that makes password management software, so it's in their interest to promote safe passwords - still, it's useful information to know.
Here are the passwords:
- password
- 123456
- 12345678
- abc123
- qwerty
- monkey
- letmein
- dragon
- 111111
- baseball
- iloveyou
- trustno1
- 1234567
- sunshine
- master
- 123123
- welcome
- shadow
- ashley
- football
- jesus
- michael
- ninja
- mustang
- password1
Many of these break the basic rules of safe password selection. What are these?
Firstly, don't use a real word as your password
That eliminates just over half of the top 25, leaving 123456, 12345678, abc123, qwerty, letmein, 111111, iloveyou, trustno1, 1234567, 1234567, 123123, and password1. Common 'swear words' occur high on some other lists of popular passwords, so definitely avoid them as well.
Passwords that are real words are easily attacked by trial and error using dictionary lists. In some situations, systems will suspend or block access after a relatively small number of attempts - you may have encountered this if you have a PIN on your mobile phone and someone tried to mess with it. But in others it is possible to keep trying until you succeed. So rather than trying to distinguish these situations, always assume the latter applies.
Don't use sequential characters
And that's whether in alphabetical (abcd) or keyboard (qwerty, 12345) order. Now we're down to letmein, iloveyou, trustno1, and password1. The mere fact that they are so commonly used is sufficient reason to avoid them, but note that in general adding one or two digits to the end of a real word gives little extra protection. Commonly used non-words are included in the dictionaries that the bad guys use to break into accounts.
Don't use words that are in some way biographical
Other people know the name of your pet, your first boy/girlfriend, your school, and so on - especially if you are a social networker.
Don't use the same password in multiple situations
If a website does get hacked and passwords are exposed, the attackers will try those credentials on other sites.
Beyond that, the rules seem less clear cut insofar as apparent experts don't always agree.
Longer passwords are generally better than shorter ones, because they take longer to break by trial and error. But they're also harder to remember. Thinking in terms of a passphrase helps, especially if you pick multiple words that don't normally go together (eg. correct horse battery staple).
Mixing things up with capital and lower case letters plus digits and punctuation is often recommended and sometimes enforced by systems. This does make it harder for a brute-force search as instead of 26 possible symbols in each position there are 94 that can be easily typed, but it also makes it harder to remember.
That's where password management software comes in. The idea is that you - possibly with the aid of the program - generate a long and complex password for each site, service or application. The program then stores the passwords in encrypted form, and automatically inserts the right one when it is needed. This setup is protected by a master password that should be picked with care so it is memorable for you but unguessable by others.
Not only does this make it easier to use unique passwords for every purpose, it also means you can change any password at intervals without having to remember the new one. Just be sure to be extra rigorous when it comes to backing up the password manager's data file - you'll be in strife if you lose it.
Finally, remember that however obscure your password, it is potentially vulnerable to malware that logs all keystrokes or that specifically looks for usernames and passwords, so be sure to keep your security software up to date.
