The 25 Most Popular Passwords Of 2013: God Help Us

The 25 Most Popular Passwords of 2013: God Help Us

You'd think that, by this point, people would start being a little more discerning with their passwords. You would be wrong. And here are the 25 most common (i.e. worst) passwords of 2013 to prove it.

Compiled by SplashData, the list pulls from the millions of stolen passwords made public throughout the year — a large chunk of which was made possible thanks to the Adobe hackers and their 38 million victims back in October. That explains why this year's list includes newcomers "adobe123" and "photoshop". It also gives us the opportunity to remind you that basing your password on whatever program you're logging into is always a terrible, terrible idea.

In perhaps the most notable change, this being the first year that anything other than "password" has secured the top spot, we offer a well-deserved congratulations to "123456". Other new additions include alternate keyboard layout "azerty" and the ever-mysterious "000000". Think your password's better? Show us down below! (Kidding. Please don't do that. Unless your password's "princess" — in which case, yeah, we know.)

1. 123456 (Up 1)

2. password (Down 1)

3. 12345678 (Unchanged)

4. qwerty (Up 1)

5. abc123 (Down 1)

6. 123456789 (New)

7. 111111 (Up 2)

8. 1234567 (Up 5)

9. iloveyou (Up 2)

10. adobe123 (New)

11. 123123 (Up 5)

12. Admin (New)

13. 1234567890 (New)

14. letmein (Down 7)

15. photoshop (New)

16. 1234 (New)

17. monkey (Down 11)

18. shadow (Unchanged)

19. sunshine (Down 5)

20. 12345 (New)

21. password1 (Up 4)

22. princess (New)

23. azerty (New)

24. trustno1 (Down 12)

25. 000000 (New)

[SplashData]

Picture: Shutterstock/kpatyhka


Comments

    I'm still amazed at the numbers of people I meet at work (some in quite high level management) who use the same password everytime they are required to change it, just changing the number at the end, or who use very basic easily guessable passwords.
    Even better are those who think nothing of sharing passwords, store passwords in excel spreadsheet, word docs and even text files.
    Naturally these people think that password managers are just for geeks, too hard to use, or too "over the top".
    What's worse than any of that is the fact I work in government.

    Last edited 21/01/14 7:42 am

      I haven't yet found a password manager that works with RDP, SSH, or lets you log in to the machine when you're sitting at it after first booting it up. They only seem to work for web-based systems (and a lot of them store your passwords on *their* server, and I don't think that makes any sense in terms of security). So when a password manager doesn't do the job, and you're dealing with multiple systems across multiple networks, how does one manage all those passwords?

      If you can prove me wrong, and link me to some password manager software that does work with SSH and RDP, I'll happily eat my words.

        Keepass is what you are after then. It doesn't store passwords anywhere, except on an encrypted *.kdbx database which can be on a secure USB key if you would like. (infact the whole program can be run off a USB key if you don't trust your company or need to use many different systems - you can also sync your database to smartphones manually or using the cloud)

        For corporate applications (ie how do you expect my users to remember all these different randomly generated 32 character passwords), Keepass also supports mutliple databases and multiple user keys - so you have your own private database, as well as one on a shared drive - each user can then create their own (encrypted) key to access that shared corporate resource.

        As for RDP/SSH etc, lastpass do have a solution for this, but regardless, what's wrong with good old copy/paste?

        Yes I did mention Lastpass above as well and yes OK even though i do realise you don't like commercial services, lastpass do have 2-factor authentication protection using multiple different providers and methods, some geared specifically towards corporate environments and designed so that users can use them right across their workplace SOE, even if they are using RDP/SSH facilities.

        Last edited 21/01/14 4:04 pm

          You can remain an ass with this program.

        Lastpass encrypts your passwords etc before it leaves your computer so Lastpass never sees or has any way of knowing your passwords. Steve Gibson of Gibson Research did a very in depth analysis and basically gave their process and methods the thumbs up as the gold standard of how something should be done. Steve consults for the likes of the FBI and is highly respected. His review is worth the watch if you're nerdy enough to want to know. The benefit is that by storing in the cloud your passwords are available on every device you own and doesnt suffer the problem of USB drives having somewhare to plug in....iDevices anyone?

          The problem with services like Lastpass is that they can provide an update of the tool which gives them unencrypted passwords.
          The same applies to KeePass to the extent that no-one looks at the code, or compiles it themself.

            they *could* (in theory) do that...

            ...and go broke the very next day.

            So many enterprises rely on lastpass they would be sued out of existence if they did that. As soon as the users find out (about 5 minutes later) millions of passwords will be changed across the internet.

            KeePass contributors, developers, and porters look at the code in every new version. How can you say that *nobody* looks at the code?

            Some people will never believe in secure password lockers no matter what anybody says.

              I use KeePass (in conjunction with a OTP generator) and I think it is an excellent locker. I also think Lastpass is excellent, and I wish more people used password lockers.

              However, if the US government told Lastpass that they had to put a backdoor in their software (a la Lavabit) to capture the passwords of one specific user, then what do you think they would do? They could fight it out in a secret court without being allowed to use a lawyer, and they could shut down the service, but what do you think they would do?

              You're right, people do look at the KeePass code - just not most of the users. How many users compile their binaries from the source rather than just download them? If the binaries of KeePass on the site contained compromised code that wasn't included in the repositories, how long do you think it would take people to notice?

              Passwords managers are one solution to the issue of bad passwords. Another is using TOTP tokens for every site. A third is using client-side certificates. With each of these, though, you have a new item to protect: your password database (or your password for it, in the case of Lastpass), your token database, or your certificates.

              Last edited 22/01/14 4:17 pm

      This is a direct result of too-frequent password change intervals that make it impossible to remember what the hell your password is on $site. I'd rather my users have one good password forever per site/service than a sequence of shitty passwords.

      I'm an IT admin and use a password manager, and even that's a damned imperfect solution (especially if I want to use someone else's computer to do something that requires me to log in somewhere).

      Last edited 21/01/14 9:27 am

        Yep. Some people are naturals remembering stuff like this but most of us aren't. A friend of mine could remember pretty much every phone number she'd ever linked a face to but for most of us that's insane.

          I'm like that - its something I've always been able to do. difficult to forget cringe worthy moments too :\

        I'm pretty sure I've read that password changes are bad for security (probably an article on this very site) far better to demand a single complex and long password and never have to change it (or do it at very long intervals...years)

      I think the problem of people using the same password and just changing the last digit is a product of users not being provided with a simple alternative. IT departments are failing in that regard. Most people have never heard of a password safe. I made a bunch of users aware of a password safe app and they started using it, and wondered why no one had showed them this before. If IT departments made people aware of these things they might actually use them (though convincing them to make a decent password for the safe is another matter).

      I'm surprise that there hasn't been a good enterprise-grade solution that's taken hold yet. I'm not sure what the best solution is. 2-factor authentication using a phone app (eg. RSA or Google Authenticator)? Centralised secure password safe with a strict password requirement? Biometric?

      As for people storing passwords in unsecure documents, that's just dumb, although again I think some of it comes from not knowing of an alternative. Most people aren't all that interested in computers. They like them when they work, but won't dig any deeper, or even know to look for something like a password safe.

      But people sharing passwords, that's just wrong. I've seen people with very privileged accounts doing that as standard practice. It's generally done to hide something rather than go to the effort of explaining why another person needs that access, or going to the hassle of figuring out how to get certain access. It's quite bad and inexcusable.

        I have 4 different programs with 4 different passwords at work alone. Each has to be changed every month. My passwords suck. I blame the IT department. We do have group passwords for the entire business (100s of PCS), one of them is on the list!

        Thanks for the great reply - see my response to ogre above - lastpass in particular really likes to position itself as THE password manager for corporates.

        I agree with your sentiments about password safe education. My organisation has a password safe included with the SOE - so every computer and laptop in the place has it installed, but do you think ANYBODY has ever heard of it? (i used to use the program we have, but now i use lastpass. I'm thinking of moving back though)

        After I read this article this morning I thought about suggesting that to management as a future topic for one of our whole-of-staff meetings held every few months, and your reply just cemented that view so I think I will suggest it. Thanks.

      Our gov organisation used to make us change every month and couldn't use any previously used (then it became in the past 12 months).
      Seriously what's a bigger security risk. Me keeping on long password for a year or you having a record of every password I've used in the past year.

      Passwords are bogus at work...it's key passes to enter the building through multiple doors and swipes in many instances (particularly to get into legals or somewhere with important info) then passwords on my pc...then finding anything on our masses of messy servers....and something that's useful? It's all a waste of time (for ages I just used the finger swipe as it was quicker and I didn't have to remember the stupid password they made me change every month which I obviously just changed the last digit to that month like everyone else :p)

    I've had Telstra set up three different accounts using abc123. Also net gears default uid/pw is admin/password

      There is perfectly good reason behind this, the user is supposed to change the password from the default!

        I often log into peoples wifi routers to find the password unchanged as admin/password, admin/admin etc. makes me laugh everytime. Then I download 10gb torrents :D

    if '0000000000' is good enough for nuclear missiles, than it's good enough for Facebook.

    HAH my password isn't there :)

    its Password1
    (well only for testing with local vm images)

    the amount of staff that have issues remembering passwords is astounding!

    You know what? They should not have these stats. A well designed system should encrypt these passwords so that we shouldn't be able to gather these stats.

      …yes, and a good government will not pass stupid laws.

      What do good governments, god, and systems that aren't stupid in at last one way have in common? I've never seen evidence that any of them exist.

      Last edited 21/01/14 9:29 am

        ... yet we somehow find enough faith to place at least a little trust in all of them!

          Some might… I generally do not.

      I think these stats are gathered from password leaks which happened throughout the year. One suspicion I have for this is the high ranking of the passwords 'adobe123' (10) and 'photoshop' (15) both new entries. The recent leak of Adobe passwords leads me to this conclusion.

      + I just RTFA and the aside states "The 2013 list of worst passwords, influenced by postings from the Adobe breach"

    My favourite is where staff write their password on a post it notes stuck to their monitor. We spend big bucks on ensuring our networks are as safe as they can be and people do this.

      Of course this is stupid.

      Any fool knows that the post-it note should be stuck to the bottom of your keyboard.

      YES! Thank you - i've seen this before. I actually had the response once:

      "The peice of paper is hidden underneath the keyboard, nobody will ever find it there" had someone else say the same thing about the piece of paper in the top desk drawer before too.

      I suppose those same people must walk around with a note in their wallet - complete with ATM card PIN.

      How bad an idea this is depends on whether the greater risk is from outside attackers (on the network) finding the password through bruteforcing or dictionary attacks, or from inside the office.

      It isn't a good idea, but it isn't necessarily a disaster. Unless you work in a bank, or for the police, or something like that. Then it is a disaster.

      Or when a school in the 80s writes down the password to the student records computer in the top draw, and make it something super simple like "pencil"...

    You know what is even funnier - are the comments above telling us their passwords . . . .

      Where?

        HAH my password isn't there :)

        its Password1
        (well only for testing with local vm images)

        ah ok - just for testing locally . . .

    In all fairness, many of these passwords are 'default' passwords for new accounts, etc that people just probably never got around to changing, or didn't realise they needed to.

    Doesn't make it any less silly from a security perspective - but most of these passwords wouldn't have been chosen by people.

      Any developer who produces a system using any of these passwords as 'default' passwords (rather than an autogenerated sequence of characters) has no business developing the security part of anything.

      Edit: which doesn't necessarily make you incorrect

      Last edited 22/01/14 8:32 am

        I'm not talking about software default passwords - more new accounts created for people, so they can change their password after first login, etc. We create new accounts for people on our messaging system with 'letmein' and then prompt the user to change the password when they first login. That way they can choose their password, and there's no confusion.

          That makes more sense.

            Somehow most still forget or don't do it, despite being told explicitly that it's a good idea, and they have to say 'no' to the password change in order to move on.

            *headdesk*

              In Windows networks using Active Directory, the administrator can set an account to 'User must change password on next login'. It sounds like more software needs that.

    adobe123 was the password for one of the old admin accounts at my high school.

      heh, the simplicity of the passwords at my old school, with a little thought pretty much anything was accessible using the format of account name followed by the postcode or in some cases part there of…

    In many public access computers having passwords is difficult and some software/setups require a password. This is where the commonly used passwords that we sneer at come into play.

    With 90% of support calls to ISPs, based on the router they will tell you the password and the IP address to access the router, this is good for those that do not know what they are doing. Hence a stock password is useful there.

    One interesting admin password that I had seen was setup to use both hands and speed up entering the password. This was used to protect the BIOS setup on public access computers to prevent changing the boot sequence.

    When complex passwords are used, I have seen people yell out their passwords from a distance where atleast 10-15 people have heard that of which there are more strangers/outsiders than employees. Replace that with a swipe card, problem reduced.

    I have even seen a couple of people offer their debit cards with the PIN to the attendant making the transaction (not in Australia). So, it is not the password that is the issue, the weakest link here is the human user, fix that and ... problem solved.

    CorrectHorseBatteryStaple.

    What gets me is the people who build character limits into password fields. (Must be alphanumeric and no longer than 10 characters. Etc).

    I'd say restrictions like that are a defining cause of password stupidity.

      Westpac is fixed length... Stupidest idea ever.
      And CBA is case-insensitive - I dutifully typed my capitals in there for years until one day I noticed capslock was on after I hit enter and it worked anyway.

      Secure as banks...

        Actually, limiting length is important as the heavy hashing involved can allow password hashing to be used for DoS. Of course, the limit you need to impose to avoid that is still well over 10 characters. Django uses 4096 bytes.

        Case insensitivity in passwords is totally nuts, as in excluding virtually any non-control character.

        Last edited 22/01/14 8:30 am

        Woah, never noticed that CBA was case insensitive until I tried just then. How is putting a capital into your pass going to secure this one?

    12345 ?
    That's the kind of thing an idiot would have on his luggage.

      Haha! Space-balls reference! That takes me back.

    The funniest thing I'm seeing is that 'monkey' is at 17, but down by 11 spots from last year. Why did so many people use 'monkey' as a password that it was ranked 6th in 2012?

      my guess is that the Venn diagram of people who use passwords like 'monkey' and the people who read about password security does not intersect.

    There's a command line client for Keepass that you can use over SSH (http://kpcli.sourceforge.net/). It also has mobile clients so you can open you DB from another device to get your power on password after a reboot.

    YES Password1!¡! still remains secure *fist pump*

      Spirit level fist pump?

        mmmm spirits. And funny since I just replied to a thread on lifehacker about whisky

          I was referring to the Old Spice Australian commercial. Funniest thing I've seen in ages.

            haha yes indded my bad missed the connection was busy setting free a kittyburra

    I was going to comment, but I couldn't remember my password.

    I am so glad i know actually use proper password techniques my old passwords were shocking (one of them was actually my name how is that possible?).

    *********

    Hey! If you type in your password, it comes up as stars!

      123456

      Hmm. It didn't show up as stars for me. Is that because it's my password, so it shows up as stars for you?

        Oh, sorry, it must because I changed it to a less popular password.

        password

        Nope, still not showing as stars.

    As someone can read the passwords to collect statistics they are really a bit of a waste of time, aren't they.

      Yes, but the reason that these passwords are readable is because they were poorly encrypted using reversible encryption (a la Adobe) or hashed using weak hashes (a la single-pass unsalted MD5) and so can be easily extracted by bruteforcing or rainbow tables.

      It's easy to build the list of most popular ones because they are typically bad and stored with bad hashing, so they are particularly easy to get with dictionary attacks, or at worst to bruteforce.

      This article from 2012 describes a GPU-based bruteforce system capable of "180 billion attempts per second" for MD5. That's 180 billion password attempts per second. That means bruteforcing every single alphanumeric password 9 characters or less that is MD5-hashed in under a day.
      (Of course, by then dictionary attacks will have been run with character substitutions, character insertions, capitalisation, and word combinations; that will have found the vast majority of passwords).

    Where are we with fingerprint ID... wasn't that supposed to be the cure-all for password entry. Why isn't there a cheap easy solution that corporates could adopt

      Trouble is that every consumer-level fingerprint imaging system (including the iPhone 5s) is bypassable with a 'fake' fingerprint. You need the person's fingerprint, but you can then create a fake from it. Iris imaging devices have fared no better.

      Maybe the 'best' solution would be a dedicated multi-TOTP (time-based one time pad) generator to combine with passwords. I've thought about doing this with an old Android mobile and Google Authenticator. Having Google Authenticator on your actual mobile isn't a great idea because it is networked and people often run 'root' software on it (or malware can potentially steal data) which means all the one-time pads can be stolen. On an isolated device with mobile and network turned off, that isn't a problem.
      If that were in a 'stick' form with a display and basic scrolling through one-time pads then that would be great.

        Eh?
        "You need the person's fingerprint, but you can then create a fake from it"

        How can you do that... surely not... no no put down that knife..........

          You need to lift the fingerprint from a smooth surface (e.g. a glass). It isn't very easy, because people don't leave nice clean fingerprints everywhere, but if you were moderately dedicated you could pull it off.
          (e.g. Telegraph article about one of the more difficult sensors, the iPhone 5s, being 'hacked'; many sensors don't need such a good fingerprint, and don't need as much fiddling - you can mould a fake fingertip out of 'gummy bears').

    I never had passwords that bad but I was almost there. Have been using PassMaster this year though. It generates random passwords for me and stores them (encrypted). I think the website is www.utileapps.com

    I have just under 40 passwords for work and around half of those I would need once a month at most. Each system has a different change cycle. Some change 30 days, 45 days, 1st if the month, once a quarter, etc. I honestly don't know a single person who doesn't record then somewhere or use a pattern or even the same one across all systems. It would be virtually impossible not to and third party software is discouraged.

    I don't think it's necessarily the users fault for having simple or easy to guess ones, there is such a proliferation of usernames and passwords, there needs to be an easier way.

    Also on top on the some 40 work password I then have internet banking, gaming sites, forums, emails, social media, government logins too. It's enough to make my brain melt.

Join the discussion!

Trending Stories Right Now