The Most Popular Bad Passwords of 2014

Despite near-constant news of high-profile hacks, and the omnipresent threat of identify theft, millions of people around the world persist in using terrible passwords. SplashData just released its annual list of the 25 most common passwords (a list it compiled from 3.3 million leaked passwords over the course of 2014), and the results are depressing, to say the least:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 1234567890
7. 1234 (Up 9)
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

Not only are most of these passwords beyond obvious, but people keep relying on them to guard vital information: For the second year in a row, “123456” topped as the most popular password, while “password” continued its reign at second.

For IT security jobs, click here.

No, passwords aren’t going anywhere soon, despite advances in biometrics. Yes, it’s a pain to make your passwords as long and complex as possible, sprinkled throughout with numbers and special characters—but the aggravation of crafting difficult-to-crack passwords is far outweighed by the trouble associated with having your online accounts hacked.

Upload Your ResumeEmployers want candidates like you. Upload your resume. Show them you’re awesome.

Related Articles

Image: leungchopan/

15 Responses to “The Most Popular Bad Passwords of 2014”

  1. Boggles the mind that people would make such simple passwords. I have even told people that if your password is going to be something simple, maybe on this list, that you may as-well make a difficult password and write it down. You can then take your list of passwords and put it in your safe next to your guns or other important documents. Cause honestly if you are robbed, you have some other problems to worry about.

    What are your thoughts on this?

  2. Anonymous Coward

    Actually, a password that no human can remember does no good to prevent brute-force cracking by computers. “#” is no harder for a computer (or, more likely, botnet) to deal with than “m”; instead, it leads to problems with lost passwords, password recovery, and passwords recorded in obvious places (including computer files named passwords.txt), all of which are far bigger security holes than s supposedly ‘weak’ password. This is one of those things (like “an inch of tropical fish to a gallon of water”) that has become such conventional wisdom that it is endlessly repeated with very little real basis.

    If you want a secure password, go for length rather than gibberish. p8a7s6s5w4o3r2d1 is a less easily brute-forced password than #sY7)4c@. Since you can remember it (or should be able to), you won’t be writing it down in obvious places, vulnerable to either computer intrusion (if a file) or simple physical means (a co-worker looks at the post-it you stuck on the underside of your keyboard). A longer password that you don’t need to write down is far more secure than a short password that you’ll forget but a computer will treat as little more complex than ‘123456’.

    The best thing to memorize isn’t specific passwords, but the algorithm you use to derive them. For the average user, you don’t even need a complicated one. Let’s say that your chosen password-generation algorithm is “the first six letters of the website’s domain name, backwards, followed by the last six numbers of your old girlfriend’s phone number.” So your password for a website named might be ocecid978982. You don’t even need to remember that — you just need to remember how you created it, and use the same algorithm on every site you need a password for. Then, when you need to remember your password for, you know all your passwords are made that way, so you can just derive it again, and you’ll know what it was. But no one else will.

    • Passwords are very rarely stored in plain text — certainly not by any security conscious companies or websites. They’re stored using a form of non-reversible encryption, and when you enter a password, your browser encrypts the password before transmitting it. The website compares only the received version with the encrypted one in its database.

  3. allenwoll

    ” The best thing to memorize isn’t specific passwords, but the algorithm you use to derive them “.
    Yes — but some websites insist hat you do THEIR way — Most of them I simply give a pass and go elsewhere.

  4. The 25 most popular are presented here for you in story form.

    The Password

    “123456” she said, “that’s a good password. Or maybe I should use 12345, or even 12345678.”

    “How about qwerty?” he replied. “That’s what I use.”

    “I think 1234567890 is better. It’s even longer. Or maybe I’ll keep it simple with 1234.”

    “You should use a word. How about baseball?”

    “If I used a word, it would be dragon,” she replied.

    “I know! Use football! I’m changing all mine to that right now!” he exclaimed.

    “I don’t know. I still like numbers. 1234567 might be just about right. Seven is God’s perfect number, you know.”

    “Monkey! That’s a good one. Or maybe you should use a whole phrase like ‘letmein’ because that’s clever and easy to remember.” He felt he was really good at this password creation thing.

    “I guess I could add letters. How about abc123?” She thought for a moment. “I’ve got it – 11111! That would be perfect because a hacker would never guess I would make all the numbers the same!”

    “I still think words are better,” he argued. “Mustang would be a good one. You’ve always wanted one. Or how about ‘access’, because you want access to your accounts?”

    “I don’t know … maybe Shadow. That’s my cat’s name. I could remember that.”

    “Master would be good, too. It’s like a master key to get in to your stuff.”

    “Michael might be a good password,” she pondered.

    “But that’s my name! If you’re going to think of me, use my alter ego … Superman.”

    “I keep coming back to wanting to use numbers, though,” she frowned.

    “How about 696969?” he asked slyly.

    “Get serious!” she spouted. “Maybe I should just repeat a number sequence, like 123123.”

    “You could use Batman. That’s my other alter ego.”

    “I’ve got it!” she exclaimed. “I’ll do words in a phrase with a number!”

    She quickly changed all her passwords to ‘trustno1’ and since it was so perfect, yet easy to remember, so did he.

  5. Secureme not

    The real problem isn’t easily broken passwords, the real problem is network security geeks who demand that we change our passwords so frequently that we are forced to use easily remembered passwords. If it isn’t baseball it is baseball1 or baseball2, because “security” demands we change every 30 or 90 days and that we can’t reuse the last 10 passwords. A simple 11 digit alphnumerical password created from a word that is not in the dictionary (perhaps even misspelled) should last a person several years.

    • SecureYouShould

      Speaking as one of the aforementioned “network security geeks,’ I can attest that we aren’t sitting in the back twisting our moustaches and hatching plots to make your life more difficult. Sorry if you’re required once every three months to actually use your sloped noggin to think up a new 10-or 12-character password. I’m sure that’s torturous on a grand scale for you. If users like you weren’t constantly looking for every conceivable way to skirt around security measures and make it easy for attackers to get it, we wouldn’t need to make such enormous demands. You know, it’s a funny thing: We get heat for actually doing our jobs but catch heat if we don’t and something happens. So as long we can both accept reality, how about you just suck it up butter-cup and create a new password now and again.