'Password' No Longer Dumbest Common Password

In what can only be described as an improvement in the very feeblest sense of the word, Internet users in 2013 adopted "123456" as their preferred password, and let "password" fall to No. 2.

Splash Data, a Los Gatos, Calif.-based company that produces user-friendly security apps, keeps track of data breaches each year and monitors the resulting exposed passwords. Its annual list of "Worst Passwords" is supposed to dissuade users from picking easy-to-guess passwords, which are vulnerable to brute-force attacks as well as guesswork.

The lower-case "password" is, indeed, a terrible password: It contains no numbers, no capital letters and no unusual symbols, and other humans can guess it easily. "123456" is not much of an improvement, for similar reasons. Other popular, if dismal, choices include "12345678," "qwerty," "abc123" and "111111."

MORE: How to Protect Yourself from Data Breaches

A few new entries did show up this year, such as "adobe123" and "photoshop." Splash Data theorizes that this may be due to the highly publicized Adobe data breach, which spilled login information for more than 130 million Adobe accounts.

Other new entries, such as "princess," are harder to explain. The practice of using common words, though, is old hat: "monkey," "shadow" and "sunshine" all appeared in the top 25, as did "iloveyou" and "letmein."

No password is completely immune from attackers, but Splash Data's list helps to illustrate just how ripe users can make their accounts for exploitation. Lower-case passwords consisting of complete words are easy to guess; passwords made up of digits are even easier, as there are fewer digits than letters. Appending a "1" or a "123" to a common word also does not do much to secure your information.

The best passwords are more than 10 characters long, use uncommon letter-and-number combinations and employ bits of punctuation to further confuse password crackers. Every Internet user should use a different password for each online service he or she employs; otherwise, a hacker who possesses one password can go on to compromise every Internet profile protected by that password.

That said, if a company does not adequately encrypt your data, even a good password will not prevent it  from falling into the wrong hands in case of a breach.

At that point, your only recourse is to think up a new one. Just make sure it's not the same one that President Skroob used for his luggage in "Spaceballs."

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • Arrias
    "The best passwords are more than 10 characters long, use uncommon letter-and-number combinations and employ bits of punctuation to further confuse password crackers."The common but wrong theory. Complexity doesn't mean anything to a computer. Length does. The longer your password, the better.
  • edrt2
    I absolutely love this program, it's actualy the most financially rewarding I've ever had. You can work where ever, when ever, and as much as you want. Earn up to $100 in a day, pretty cool!! I can't believe how easy it was once I tried it out. Linked here Pow6.com
  • CaedenV
    "The best passwords are more than 10 characters long, use uncommon letter-and-number combinations and employ bits of punctuation to further confuse password crackers."The common but wrong theory. Complexity doesn't mean anything to a computer. Length does. The longer your password, the better.
    Could not agree more. The whole thing about having capitals, symbols and numbers making your password more secure to a normal data breech is entirely bunk and is more to help customers of banks feel safe than it has anything to do with making the bank any safer. In fact, the whole idea that banks and other sites spell out their requirements makes them easier to crack in spite of the extra characters because it is just a list of requirements for a programmer to specify in their code.Having a long seemingly random, but memorable, password is the most secure way to go. Even if it is all lower case letters.
  • kryzstoff
    The idea that 'password' or '123456' are bunkum stats, and\or that is completely irrelevant anyway; most of their users would have deliberately selected a quick, easy passcode with zero interest in the security value of it -- I do not want to need any more passcodes than necessary; if someone uses my avatar \ username on Reddit or 4chan I could not care less, so I use nothing, or as close to nothing as possible, for a passcode.The overwhelming majority of websites and corporate networks require far more security that that, and you would rarely if ever be able to use a single-cased dictionary word or six numbers, as your password. Even blogging sites and commenting on forums requires more secure passwords these days, (except where anonymous users are allowed). Ironically most email sites and ebay have more stringent security than most banks, for identification and passwords.Serious hackers would be better off sniffing your mobile\wifi data or sneaking into your network to steal your identity and all your personal security questions, before marching off to your bank to empty your accounts.As for the best passwords, the ones you can remember are the best, not any with an incomprehensible string of meaningless characters (although p@$5w0>d type character substitution is years ahead of plain english words as well as being memorable enough). An 8-character password using any combination of characters can take < 6 hours to crack, and many will take just minutes! Every time you add a character to your password, you are exponentially increasing the difficulty it takes to crack via brute force. For example, an 8-char password has a keyspace of 95^8 combinations, while a 20-char password has a keyspace of 95^20 combinations; (95 = keys on most keyboards).However, this only applies to brute force attacks. If your password is weak it does not matter how long it is, as it will likely fall to other attacks such as word-list and rule-based attacks. Pass phrases that are 15 to even 100 chars long fail easily because they are too simple. Unfortunately many websites restrict us to 10 characters and many require beginning capital and ending number, for example, massively limiting your security options.At present you best bet ensure your passcode is secure is to choose a text string that's randomly generated using Password Safe or another password management program.
  • 1048jack11
    Probe into Why Teemo Is Played in LCS S4, LCS, C9, TSM, TeemoC9 fought with TSM during the LCS North America Week One. To our surprise, C9 played Teemo as the mid solo. You know, we always think it’s no good to play Teemo in tournaments or advanced ranked games, but C9 did achieve some successes with Teemo. At the 38th minute of the game, Teemo’s mushroom consumed about 1/3 HP of any enemy, including TSM’s two tanks Nasus and Nunu. http://loldb.gameguyz.com/news/probe-into-why-teemo-is-played-in-lcs.html
  • g-unit1111
    Dark Helmet: The combination is 12345. Are you crazy? That's the kind of thing an idiot would have on his luggage!

    President Skroob: Did it work? Where's the king?

    Dark Helmet: It worked, sir. We have the combination.

    President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?

    Colonel Sandurz: 1-2-3-4-5

    President Skroob: 1-2-3-4-5?

    Colonel Sandurz: Yes!

    President Skroob: That's amazing. I've got the same combination on my luggage. Prepare Spaceball 1 for immediate departure and somebody change the combination on my luggage!