The Most Common Passwords

There have been numerous studies of recent data breaches and the quality of the passwords either disclosed or discovered. A few good studies include:

In addition to the common passwords listed below, here are a few other good resources:

Common Passwords

Top 10 from the 2012 LinkedIn data breach:

  • 123456
  • linkedin
  • password
  • 123456789
  • 12345678
  • 111111
  • 1234567
  • sunshine
  • qwerty
  • 654321

Top 25 from the Ten Million Passwords (Mark Burnett)

  • 123456
  • password
  • 12345678
  • qwerty
  • 123456789
  • 12345
  • 1234
  • 111111
  • 1234567
  • dragon
  • 123123
  • baseball
  • abc123
  • footmall
  • monkey
  • letmein
  • 696969
  • shadow
  • master
  • 666666
  • qwertyuiop
  • 123321
  • mustang
  • 1234567890
  • michael

From MySpace:

  • homelesspa
  • password1
  • abc123
  • 123456
  • myspace1
  • 123456a
  • 123456789
  • a123456
  • 123abc
  • qwerty1

An older Hotmail password leak:

  • 123456
  • 123456789
  • alejandra
  • 111111
  • alberto
  • tequiero
  • alejandro
  • 12345678
  • 1234567
  • estrella
Choosing a Strong Password

There are also many guides on the Internet describing how to choose a good password.

  1. Use a password manager. Don’t try to keep it in your head. You can use the ones built into your web-browser, LastPass, Dashlane,  KeePass, or others – they will all be better than you trying to remember them.
  2. Use a strong, random password. Those password managers will all create random passwords for you. Your goal should be somewhere around 128 bits of entropy, which would be a little more than 20 alphanumeric characters.
  3. Don’t share passwords between sites. Remember, you’re using strong, random passwords.
  4. Always enable two-factor authentication for sites that support it. Most methods are “good enough”, and all are better than single-factor (e.g. password).

If you come across a web-site that has poor password rules, such as a maximum length,  you should complain — there’s no good reason for this.