Do Yourself a Favour, Don’t Use One of These Passwords

For most people, passwords are annoying barriers that you have to deal with to access your favourite sites, email, and online services. While your Gmail and Facebook accounts may seem harmless – if not utterly useless – to cybercriminals, they likely contain some pretty important personal information such as your birthday, bank account numbers, phone numbers and addresses. That information, unsubstantial on its own, can be quite useful to hackers who cross-reference with data from other dark sources.

To keep your info safe, experts recommend strong passwords that include a combination of upper- and lower-case letters with some numbers. That won’t stop sophisticated hackers from accessing your data if they really want to, but it will stop the most common hacking strategy, guess-work and probability. As an everyday Joe, it’s unlikely you’ll become the target of well-known groups like Anonymous or Lizard Squad, but you could be the victim of that co-worker you ticked off in the lunch room.

To give you an idea of what qualifies for a stupid, predictable password, SplashData has published its list of the 25 worst passwords of 2014. The company compiled the data by examining files of millions of stolen passwords posted online by hackers. Give your head a shake if yours is one of the passwords on the list:

  1. 123456

  2. password

  3. 12345

  4. 12345678

  5. qwerty

  6. 123456789

  7. 1234

  8. baseball

  9. dragon

  10. football

  11. 1234567

  12. monkey1

  13. letmein

  14. abc123

  15. 111111

  16. mustang

  17. access

  18. shadow

  19. master

  20. michael (I’m looking at you, Hainsworth…)

  21. superman

  22. 696969

  23. 123123

  24. batman

  25. trustno1

If you want to get a sense of how good or bad your passwords are, check out this handy, free tool.


Liked it? Take a second to support Matt Padanyi on Patreon!
Become a patron at Patreon!

Leave a Comment


  • a few things:

    1) xkcd had an excellent comic on this:

    “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”

    2) I was an intern at a post office once, working as assistant to the postmaster, and the entire network of post offices in that province at the time had a password system, where nobody picked their own passwords, passwords were assigned, and changed every 2 months. yes, it was a pain in the ass, but the system used for choosing passwords was interesting. each new password was a season in all lowercase, with a single digit on each end, for example “2winter8”. fairly easy for a person to remember, but difficult for a person to “crack” unless they were already aware of the system, in which case all it would take is patience (there’s only 400 possible combinations). for the record, I never heard of any breaches while I was there.

    3) I get furious when I’m trying to sign up for a site or service, and I get to the password selection, and it tells me my chosen password is “invalid” because of their ludicrous criteria. listen, I’ve been using essentially the same password and variations on it for everything for 12 years, and I’ve never been password hacked once. ever. I’ve been app hacked (I let a third-party app access a twitter account, then it started spamming my feed, so I blocked it). I feel insulted that this system is telling me my password isn’t secure enough when my personal experience proves otherwise. and most of the time it’s something that’s not that big a deal, like a social media site or something, not banking or locking down nuclear missiles, so there’s no good reason for these beyond-overzealous security measures.

    case in point: