There have been numerous studies of recent data breaches and the quality of the passwords either disclosed or discovered. A few good studies include:
- Unmasked: What 10 million passwords reveal about the people who choose them
- Today I Am Releasing Ten Million Passwords (Mark Burnett)
In addition to the common passwords listed below, here are a few other good resources:
Common Passwords
Top 10 from the 2012 LinkedIn data breach:
- 123456
- password
- 123456789
- 12345678
- 111111
- 1234567
- sunshine
- qwerty
- 654321
Top 25 from the Ten Million Passwords (Mark Burnett)
- 123456
- password
- 12345678
- qwerty
- 123456789
- 12345
- 1234
- 111111
- 1234567
- dragon
- 123123
- baseball
- abc123
- footmall
- monkey
- letmein
- 696969
- shadow
- master
- 666666
- qwertyuiop
- 123321
- mustang
- 1234567890
- michael
From MySpace:
- homelesspa
- password1
- abc123
- 123456
- myspace1
- 123456a
- 123456789
- a123456
- 123abc
- qwerty1
An older Hotmail password leak:
- 123456
- 123456789
- alejandra
- 111111
- alberto
- tequiero
- alejandro
- 12345678
- 1234567
- estrella
Choosing a Strong Password
There are also many guides on the Internet describing how to choose a good password.
- Use a password manager. Don’t try to keep it in your head. You can use the ones built into your web-browser, LastPass, Dashlane, KeePass, or others – they will all be better than you trying to remember them.
- Use a strong, random password. Those password managers will all create random passwords for you. Your goal should be somewhere around 128 bits of entropy, which would be a little more than 20 alphanumeric characters.
- Don’t share passwords between sites. Remember, you’re using strong, random passwords.
- Always enable two-factor authentication for sites that support it. Most methods are “good enough”, and all are better than single-factor (e.g. password).
If you come across a web-site that has poor password rules, such as a maximum length, you should complain — there’s no good reason for this.