There have been numerous studies of recent data breaches and the quality of the passwords either disclosed or discovered. A few good studies include:
- Unmasked: What 10 million passwords reveal about the people who choose them
- Today I Am Releasing Ten Million Passwords (Mark Burnett)
In addition to the common passwords listed below, here are a few other good resources:
Top 10 from the 2012 LinkedIn data breach:
Top 25 from the Ten Million Passwords (Mark Burnett)
An older Hotmail password leak:
Choosing a Strong Password
There are also many guides on the Internet describing how to choose a good password.
- Use a password manager. Don’t try to keep it in your head. You can use the ones built into your web-browser, LastPass, Dashlane, KeePass, or others – they will all be better than you trying to remember them.
- Use a strong, random password. Those password managers will all create random passwords for you. Your goal should be somewhere around 128 bits of entropy, which would be a little more than 20 alphanumeric characters.
- Don’t share passwords between sites. Remember, you’re using strong, random passwords.
- Always enable two-factor authentication for sites that support it. Most methods are “good enough”, and all are better than single-factor (e.g. password).
If you come across a web-site that has poor password rules, such as a maximum length, you should complain — there’s no good reason for this.