Industry News

These are the 25 worst passwords you could ever choose

Password Security

There’s no doubt about it. Human beings are typically terrible at choosing passwords.

We either choose a password that is easy to guess (the name of our pet hamster, the name of our favourite football team), or one that is easy to crack (dictionary words like “password” or “letmein”), or find ourselves dreaming up one hard-to-crack and impossible-to-guess complex password (“fTKJ5QSAw}jd’~m3X7N” or “foolery-suburb-narcosis-shorts-unbidden-widely”) but make the mistake of reusing it everywhere.

IEEE Site Exposes 100,000 Plaintext Usernames and Passwords

Humans suck at choosing passwords.

And that’s why I recommend that people invest in a password management tool, capable of generating truly random, impossible to guess passwords, and then doing the important job of remembering them for you so you don’t need to reuse them for every site you access.

All you then need to do is remember one complex, hard-to-crack master password and never have to worry about forgetting your email, eBay or Amazon password ever again.


My guess is that although the password manager solution is pretty straightforward many people are either ignorant that it exists, or think (mistakenly) that it will be too hard for them to follow. And so they go back to bad habits.

The fact that we are STILL talking about bad password practices proves that many people still aren’t getting the message, and new research released by SplashData makes clear that there are still many people using very very bad passwords indeed.

SplashData looked at more than two million passwords that have leaked through data breaches in the last year, and compiled a list of the 25 worst passwords.

And remember, it’s not just researchers who know the most commonly used passwords like the back of their hand. Malicious hackers and identity thieves know too.

So, without further ado, here are the worst passwords you could be using:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

If you recognize any of those passwords as one of yours – shame on you. Learn your lesson and change your password immediately. Passwords like these are effectively worthless.

You might think you’re clever choosing a password like ‘1qaz2wsx’ (take a close look at your keyboard if you want to know where that one came from) or ‘starwars’ but it’s clear that plenty of people had the same idea as you.

And don’t feel too smug if your password isn’t on this list. The fact is that hackers and password crackers have access to databases of *millions* of the most commonly used passwords – meaning that unless you have taken care creating your password, chances are that it won’t take an enormous effort to crack it.

Here are my tips for better password security:

  • Choose passwords or passphrases of a decent length. Over a dozen characters is good, but ideally make it as long as you can. Mix it up with special characters, upper and lower case, and numbers to make it trickier.
  • Never share your passwords. Ultimately you can only trust yourself to take good care of them.
  • Never have a guessable password. Someone who knows you shouldn’t have any advantage in guessing your password.
  • Never ever reuse your passwords. If one site you are a member of gets hacked, you don’t want those same credentials to be able to unlock your other online accounts.
  • For goodness sake, get a password manager. I have over 900 accounts online – it would be impossible for me to remember 900 complex, unique passwords which means I might be tempted to choose weaker passwords instead or reuse them. Password managers mean I don’t have to dilute my security.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment

Your email address will not be published. Required fields are marked *

  • Hi,
    Basically agree With the content of this post but password managers are a good target to be cracked as well.
    Personnally I use a self-made “rule” which allows me to generate website-linked but still long and hard to guess unique passwords, still easy for me to remember
    Kind regards

  • I wonder how many people have a fear that password managers may leak their data in some way? How can we be sure that a password manager on our iOS or Android device isn’t uploading our passwords to an insecure server somewhere, or indeed to a rogue server?
    Do you have a top ten list of reliable password managers that you trust to be secure?

  • Be interesting to know the frequency with which these were being used. What percentage of the 2 million that they represent. Is this available?

  • All good advice – I use 1Password and randomly generated passwords as long as the account will allow.

    My frustration is with sites/accounts which then FORCE you to change a perfectly good secure passsord every month, or three months or whatever, because the geeks that coded it believe it makes the world a safer place.

  • I have been reading in various locations about password managers, but apparently even the security of those is not 100% guaranteed. So which would you personally recommend Graham?

  • Another reason to use a password manager (as if we needed another one) is the plethora of password rules used by websites. Every site seems to have a different rule for length, which special characters are allowed, etc.

    And on a related rant, websites need to get their act together in terms of allowing longer passwords. I have a financial account at a company whose website only allows a maximum of 12 characters in the password! Even with a randomly generated password, that’s crackable.

  • Here here. I have been using LastPass for four years now, and I too have literally hundreds of logins, all with completely different, long, complex, pseudo-randomly generated passwords. To go back to managing them myself would be a huge and ongoing hassle.

    Just a couple of small observations about the above…

    “impossible to guess passwords”
    Unfortunately, no password is impossible to guess. We can make them *virtually* impossible to guess though, by making them so random and complex that the likelihood of them being guessed is insignificant.

    It might also be a good idea to add a note to discourage people from using your example ‘hard-to-crack and impossible-to-guess complex passwords’. People have been know to see example passwords and think ooh, that looks nice and strong, I’ll use that. :)
    (How long before your examples end up in some bad guy’s password dictionary!)

    Keep up the good work!

    • How long is a piece of string?

      It’s a good question with no simple answer, but as the key ‘bread and butter’ for Password Managers depends massively on their security, you can bet there is plenty of scrutiny. I’d suggest you look further into the subject (e.g. Google ‘LastPass vs KeePass vs Dashlane vs etc’) if you’re concerned.

      PS I submitted a comment on January 21, 2016 at 7:58 pm but it is still awaiting moderation.

  • How do two people access the same account with the same vendor? For example, my wife and I share a checking account. If I use a password manager on my computer to come up with a super password for our joint checking account, how does she access the same account from her computer without knowing my password? And the one checking account can only have one password, right?

    • A good bank would ensure their online banking would cater for that. My wife and I have a joint account and our own individual accounts. When we log into our online banking (with our own, separate logins) we see our individual accounts and we both see the joint account.

      We also use LastPass (password manager) and if you want to ‘share’ a password with someone you can do that and it will appear in their password vault as a shared item. e.g. If you only have one login for your electricity supplier online account, you can both use the same one easily that way, without having to memorise a hard to remember password.