• United States



Top 25 most commonly used and worst passwords of 2013

Jan 21, 20143 mins
Data and Information SecurityMicrosoftSecurity

"123456" beat out "password" to top the list of 25 most commonly used and worst passwords.

security password
Credit: Thinkstock

All the website breaches and endless warnings about the use of weak passwords finally soaked in and resulted in a change to the most commonly-used and worst password on the Internet, which was “password”. But before you get too excited about netizens embracing better cybersecurity habits, know that “123456” is #1 and “password” fell to #2 on the list of top 25 worst passwords of 2013.

For the third year, SplashData, a company that makes password management and productivity apps, released the list of “the most common and therefore worst passwords.” The company said this year’s list was influenced by the top 100 passwords revealed after Abode was hacked and was “compiled from files containing millions of stolen passwords posted online” in 2013.

10 of 25 weak passwords are new to the top 25 list: “123456789” came in #6; “adobe123” was #10; “admin” came in at #12; “1234567890” was #13; “photoshop” placed at #15; “1234” was #16; “12345” made it to #20; “princess” was new to the list at #22; “azerty” was #23; “000000” came in at #25.

Morgan Slain, CEO of SplashData, said, “Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing. Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies.”

If you see any of your passwords on this list, go change them right now. In fact, before you create a new password, consider the from Microsoft MVP and software architect Troy Hunt: “The only secure password is the one you can’t remember.”

If creating a unique and strong password for each site is really so difficult, then either a) use a password manager, or b) consider adopting a password-alternative biometric product. At CES 2014, numerous companies were pimping biometrics to replace passwords. Additionally, you need look no further than the .

SplashData had these tips for making passwords more secure:

Use passwords of eight characters or more with mixed types of characters. But even passwords with common substitutions like “dr4mat1c” can be vulnerable to attackers’ increasingly sophisticated technology, and random combinations like “j%7K&yPx$” can be difficult to remember. One way to create more secure passwords that are easy to recall is to use passphrases — short words with spaces or other characters separating them. It’s best to use random words rather than common phrases. For example, “cakes years birthday” or “smiles_light_skip?”

The company also warns against using the same username/password combo across multiple sites.

I’d advise for you to check out Have I been pwned? The site was created by Hunt so people can check if they have an account that has been compromised in a data breach. He has two excellent articles regarding the new website, an introduction about “aggregating accounts across website breaches” and domain wide searches.

You can search by email address, username, domains or browse the list of pwned sites. Hopefully, you’ll see “Good news – no pwnage found!” There is also a notify feature “if future pwnage occurs and your account is compromised.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.