The Only Secure Password Is the One You Can’t Remember
Top Bad Passwords
123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, starwars, shadow, princess, cheese
Examples of Weak Passwords
- Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.
- Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., including words in non-English dictionaries.
- Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
- Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be tested automatically with little additional effort. For example a domain administrator password compromised in the DigiNotar attack was reportedly Pr0d@dm1n.
- Doubled words: crabcrab, stopstop, treetree, passpass, etc.
- Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc.
- Numeric sequences based on well known numbers such as 911 (9-1-1, 9/11), 314159… (pi), or 27182… (e), etc.
- Identifiers: jsmith123, 555–1234, your username, etc.
- Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative’s or pet’s names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person’s details.
What Makes a Good Password
A strong password is one that is as long and as random (in terms of both character types and sequence), as possible. In short use a combination of upper and lowercase, numbers and symbols.
Guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing. Common guidelines include:
- A minimum password length of 12 to 14 characters if permitted
- Generating passwords randomly where feasible
- Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors’ names or dates).
- Including numbers, and symbols in passwords if allowed by the system
- If the system recognizes case as significant, using capital and lower-case letters
- Avoiding using the same password for multiple sites or purposes
- Avoid using something that the public or workmates know you strongly like or dislike
Some guidelines advise against writing passwords down, while others, noting the large numbers of password protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer.
Having good passords doesn’t replace taking security precautions on your computer and internet connection.
An eight character all lowercase password can be cracked by a single computer in one day.
Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks.
One Password is a handy tool to keep your passwords stored safely on your computer. This program generates a different strong password for each site you visit by mixing: a) your master key, which you create by yourself, and b) a site key, which is automatically extracted from site URL.
With One Password, you only need to remember your master key. The extension will give different passwords on different websites.
More info about One Password
You can access the mobile website version at
Follow updates and security tips on our Facebook page: