50 Common Passwords

In our industry clients often share passwords for domains and servers with us and it’s shocking how bad they can be. Roughly 50% of the time the password strongly relates to the business or client name and would easy-enough to guess given the right context.

This is crazy when there are so many good solutions to manage passwords these days! Here are some great options for managing your passwords:

• Using your browser! For example, Chrome has an amazing password management features that can sync across all your devices when logged in.
• 1Password is great for sharing passwords within a large organisation.
• NordPass is another large-scale password management system that is great for use across multiple accounts/devices.

Passwords should be…

• Long. Most likely it will be a robot script trying to guess your password so the longer it is the harder it will be for the script to try every combination. It’s possible that with modern GPU systems cracking attempt rate of 7 billion per second can be achieved. An 8 character alpha-numeric password can be broken in 30 seconds! Whereas a 13 character password would take more than 900,000 years at that rate. Luckily your password hash will not be accessible for a computer to break at this speed. Frustratingly many systems limit the length of passwords so it’s not always possible.
• Random. Don’t be tempted to relate it to your name or business. It’s safe to choose random words and characters that you can remember easily if the password is long.

Related xkcd

But, why?

I recently read about a study of a huge amount of leaked passwords. In this study the password choices of 10 million people, from everyday people to the rich and powerful were analysed. Some interesting people were on the list including the global director of Nike whose password was cracked in 0.02 seconds, an editor at the New York Times 0.9 seconds and senior manager at IBM 0.0 seconds! The majority of these were able to be cracked in under 22 seconds. The list was full of high profile people making the same mistakes we all do.

If you use email providers like Gmail you don’t need to worry too much about your passwords being cracked by hacking software. These providers are set up to stop illegitimate attacks almost immediately. The same goes for your online banking, but for websites like yours that don’t have the same level of security we need to know how to keep the hackers out.

Most people think of obvious words and numbers and combine them in simple ways.

Don’t use obvious patterns!

When creating passwords, you should avoid typical patterns that are easily guessable by attackers. These patterns include:

• Sequential numbers or letters: Avoid using consecutive numbers or letters, such as “123456” or “abcdef”.
• Repeated characters: Do not use simple repetitions like “111111” or “aaaaaa”.
• Keyboard patterns: Steer clear of patterns that follow keyboard layouts, such as “qwerty” or “1qaz2wsx”.
• Personal information: Avoid using easily accessible personal information, like your name, birthdate, or phone number.
• Dictionary words: Do not use single words found in the dictionary, as these can be easily cracked using dictionary attacks.
• Simple substitutions: Replacing letters with numbers or symbols that look similar, like “p@ssw0rd”, is not secure enough.
• Short passwords: Longer passwords are generally more secure, so avoid using passwords with less than 12 characters.
• Common phrases: Using well-known phrases, quotes, or idioms can be easily guessed.
• Password variants: Avoid using slight variations of the same password across different accounts.

Default passwords: Do not use default passwords provided by websites or devices, as these are often the first ones attackers will try.
Instead, create strong, unique passwords by using a combination of upper and lowercase letters, numbers, and symbols. You can also use a passphrase consisting of multiple random words, which can be easier to remember and still provide strong security. To manage multiple complex passwords, consider using a password manager.

Digital privacy is so important!

It seems we humans are a predictable bunch so it doesn’t take long for dedicated hacking software to crack our passwords. Most people think of obvious words and numbers and combine them in simple ways. Adding a variation in characters, for example changing THRIVE to 7HR1V3, will make a little difference on how hard it is to guess, the length of the password however, is more significant. As it turns out the biggest mistake you can make is that your password is too short. The longer a password is the stronger it is. Most passwords are approximately 8 characters long so make sure it is longer than this.

One of the tools we like to use is a secure password you could try a password generator like LastPass. This uses simple words and even spaces but because of the length of the characters it can make your password literally millions of times harder to guess. The good thing about this is that the words make it much easier to remember.

Finally, the 50 most common passwords:

1. 123456
2. password
3. 12345678
4. qwerty
5. 123456789
6. 12345
7. 1234
8. 111111
9. 1234567
10. dragon
11. 123123
12. baseball
13. abc123
14. football
15. monkey
16. letmein
17. shadow
18. master
19. 696969
20. michael
21. mustang
22. 666666
23. qwertyuiop
24. 123321
25. 1234…890
26. p*s*y
27. superman
28. 270
29. 654321
30. 1qaz2wsx
31. 7777777
32. f*cky*u
33. qazwsx
34. Jordan
35. Jennifer
36. 123qwe
37. 121212
38. killer
39. trustno1
40. hunter
41. harley
42. zxcvbnm
43. asdfgh
44. buster
45. andrew
46. batman
47. soccer
48. tigger
49. charlie
50. robert