The top 10 awfully bad passwords people use

Many end users don't understand the need for good passwords, report shows

You might think that after nearly two decades of data breaches, identity theft and other online risks, your average end user would understand by now the importance of creating strong passwords and protecting them.

You would be wrong.

Data security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called, and  published a report of the findings earlier this year – including the 10 most-commonly used passwords, all of them terrible.

They are:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

Entry No. 7, "rockyou," is the name of the Web site for which the users created the password. Their and passwords are probably "amazon" and "audible," respectively.

Nearly half of the users created easily guessable passwords, including names, dictionary words and strings of consecutive numbers, according to the report. The most common password found was "123456."

"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyberattacks: With only minimal effort, a hacker can gain access to one new account every second — or 1,000 accounts every 17 minutes," said Amichai Shulman, Imperva's chief technology officer, in a written statement that accompanied the release of the findings. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine."

Download the full report.



About the Author

Technology journalist Michael Hardy is a former FCW editor.

The Fed 100

Read the profiles of all this year's winners.


  • Ellen Lord - Textron DOD ATL USD

    Lord tapped to lead DOD acquisition

    The Trump administration has nominated Ellen Lord, president and CEO of defense contractor Textron Systems, to serve as undersecretary for Acquisition, Technology and Logistics.

  • Soraya Correa, DHS Chief Procurement Officer

    Confronting the culture of fear in government

    Steve Kelman gives kudos to DHS' Soraya Correa for facing the FLASH cancellation head-on.

  • DHS: Russia tried to hack voting systems in 21 states

    DHS officials confirmed for the first time that Russian hackers tried to penetrate voting systems in 21 different states in the run-up to the 2016 election, but said the hacking did not affect election results.

  • VA Secretary Dr. David Shulkin speaking at a June 20, 2017 Monitor Breakfast. Photo credit: Michael Bonfigli/The Christian Science Monitor

    VA expects to add an integrator to health record mix

    After coming to terms with Cerner on a price for its electronic health record system, VA expects to pivot to finding an integrator to handle legacy interoperability and change management.

  • Soraya Correa, DHS Chief Procurement Officer

    DHS execs own FLASH fail

    The department's failure to launch an agile services contract can serve as a teachable moment, according to DHS procurement officials.

  • Is it time to rethink the TIC?

    Current restrictions on internet gateways complicate agencies' move to the cloud, so the Office of Management and Budget is exploring new security architectures.

Reader comments

Tue, Aug 17, 2010 Tom

I feel your pain. I have been a vitim of ID Theft for the last 7 years. I was able to turn my information against him and catch him thru the social security admin. office, only to see this guy get deported and doing it to me all over again. I hate to say it, but it will take someone to target these people who don't seem to care. It has to be a problem for them, to get any thing changed. Right now, it's just not.

Mon, May 17, 2010

To the very lengthy comment about smart card authenication. If you think that the Chinese haven't cracked these your wrong.

Mon, May 17, 2010 Christine

Quite a while ago i used a couple of systems that had no limit on the number of characters and no requirements for upper/lower/characters etc. My paswword was along the lines of "johnsmithwasmyfirstkissandhewasreallybadatitilltellya" another was "janejoneswasabigolemeanieinkindergartenandihopeshegetscooties" the "cheat sheet" included a drawing of lips and a drawing of cooties. NOW i have 17 passwords for work that need to be changed every 30 or 60 days, and i'm too darn old and foggy to remember my own code system so they are on an index card in my purse.

Mon, May 17, 2010 Robert B Marshall CISM CISA New York

I am annoyed that so many will never wake up to current need to stop depending on old authentication methods to verify entry of a person into a system. This is as bad as every phone company (cellphones especially) to depend on last 4 digits of your SSN and your address for identifying that they are talking to you. How stupid do these execs think that the common criminal is? Also, have they no care for the unemployed trying to gain back their reputation after an identity attack. I have been hacked into 9 times, and have worked full time on only keeping a$$#013$ off my machine. I need a job!! I don't have time for people hacking me in circles like a shell game all day. Nobody cares whether I eat a balanced meal or die, but I wish executives would own up to their security responsibilities and have their organizations stop relying on information readily available from a zillion sources. Once any of your info is in the wild, it is FOREVER in the wild, so that cannot be used as a id verifier. Executives of corporations should ensure that employees', managers', and customers' lives and integrity are maintained in a guaranteed no errors state. I bet you that if an identity mistake cost the executives $1 million from their astro salaries, they would gladly contribute to $300 Billion to reduce the $1 Trillion in Internet losses in 2009 alone. By the way that is my estimate of the costs it would take for every person to have a Secure-ID card. Yeah - some complain of the minor problems that the system is not yet perfect, but at least it is not a collection of data that you cannot recall back (excuse me, but could you keep my fingerprints with the City & State Police, FBI and State Department only please).

Fri, May 14, 2010 mugg

Wow, the comment above seems to be almost longer than the article. PasswordSafe rocks. Sysadmins should know better, and users almost should. Rainbow tables are powerful, so pass policies are required (lockouts, etc) and longer than 9 char is a must.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group