123456 most common password?

By Razib Khan | January 21, 2010 4:53 am

If Your Password Is 123456, Just Make It HackMe:

Back at the dawn of the Web, the most popular account password was “12345.”
Today, it’s one digit longer but hardly safer: “123456.”
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

Many people are assuming that Google’s current row with China has more to do with protecting the reputation of its cloud computing services than idealistic motives. But really, the end user is the root of some of the problems of security within the cloud.

  • 01jack


  • Rob W

    Hmm.. PEBKAC.
    If you’re coding a web application, it’s wise to reject these passwords outright. I also like the weak->strong meters shown next to password fields.
    Offering advice on how to choose a good password is also helpful. Best advice I know: memorize a passPHRASE as part of your password. E.g., “That’s what your MOM said last night” as a passphrase becomes “TwyMsln” in your password (or go with the 3rd letter of each word to get “aauMisg”) and then throw a number and special character in there that you can remember (5^, for example).
    5^aauMisg is a pretty good password, and not that much harder to remember than 123456.
    Keyboard patterns like qwerty are possible if you are smart about them; i.e., use the shift key, jump around, and make it long. “2w)OdfJHerIU” is a keyboard pattern password that’s pretty solid.

  • Ambitwistor

    That’s amazing! I’ve got the same combination on my luggage!

  • Eric Lund

    Frustrating, yes, but nothing new. In “Surely You’re Joking, Mr. Feynman”, Feynman tells the story of contriving a meeting with the official locksmith at Los Alamos, who had managed to open a special safe that a captain had had delivered to store his sensitive documents (the captain was unavailable at the time but the documents were urgently needed). It turned out the locksmith was eager to meet Feynman, who had cultivated a reputation for being a safecracker. The locksmith’s secret: those safes came from the factory with one of two default settings, and the second one opened the safe. Feynman subsequently found that about one out of every five combination locks that he tried opened with one of the two default combinations. So the weak password problem has been around for at least 65 years.

  • Tacroy

    Meh. If I’d had a rockyou.com account, the password would have probably been something simple like that – after all, it’s RockYou. I don’t care if anyone steals my account on that website, and I don’t want to use one of my real passwords in case their system architects are morons and something like this happens.
    Further, rockyou.com was doing it wrong in the worst way possible. You do not ever store passwords as plain text. You store the result of a cryptographic hashing function applied to the password + some random but constant salt value. That way, even if someone steals your customer records, they can’t easily get your user’s passwords – which might have been used on a different site.

  • llewelly

    In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

    The italicized words (my italics) are the root of the problem. Memorizing good passwords is hard work, and most people can’t be convinced to do it. As Bruce Schneier pointed out over 10 years ago, writing your passwords down should not be viewed as a last resort. Instead, it should be your first resort. Write all your passwords down on a piece of old-fashioned paper. Make a copy. Store the copy in a safe place, where it is unlikely to be affected by common disasters, such as fires, floods, etc. Keep the other on your person, but treat it like your credit card, or your id card – take every reasonable precaution against losing it.
    But most importantly – know how to report identity theft. Write down a list of the steps you will need to go through in the event of your password list being lost, or stolen. Do a few dry runs, so that when you need to use it, it is somewhat familiar to you. Keep that list somewhere else (not with the password list, obviously) on your person.

  • Vicki

    There’s always a tradeoff between security and inconvenience: it’s easier to walk through an unlocked door, including my own front door while I’m carrying groceries. So it only makes sense to lock a door if you care who comes through it. (You might _close_ a door to keep the wind out, or animals in: the local dog run uses gates that almost any human would find trivial, but the dogs can’t open.) And the more passwords I have, the more I have to either remember or store: and pieces of paper can be lost or stolen.
    I leave my work computer logged in to the library’s website, because the worst any of my coworkers could do is cancel my holds on library books; it’s not a real risk. (They could also reserve books I didn’t want, which I wouldn’t have to borrow, or renew the books I have checked out, which is harmless.) That doesn’t mean I’m staying logged in to my personal email, or my pension fund.
    Tacroy is absolutely right about hash functions: that was old news in the 1980s. It’s not an absolute guarantee–given a system, a hashed password file, and time, brute-force attacks are useful–but it’s still worth doing.

  • Katkinkate

    At my last job, when the number of passwords I had (and were renewed on different schedules) grew to many to be handled by my inadequate rote memory, I figured out about 11 different passwords as a base stock and wrote a list of clues to them, to help me keep track of which one I was using for each application. I randomly substituted numbers for similar-looking letters to keep it a bit more secure as well (eg. s=5, q=9. The list of clues lived in my diary with whatever application I was using it for written in pencil beside the relevant clue. I used things like my mother’s, mother’s maiden name + my niece’s current age.

  • http://www.libertypages.com/cgw Clark

    If you use 1Password on a Mac it keeps track of all your passwords for you and can generate extremely strong passwords for every site and then access them via a master password on your computer. It also has an iPhone version that syncs with the desktop.
    I used to use strong passwords, but only kept a handful I could remember. Now I use different passwords on each site.
    Realistically you need something like that if you are going to have sufficient security. Because frankly no one can keep track of numerous complex passwords without creating other security flaws.

  • RickD

    “Write all your passwords down on a piece of old-fashioned paper.”
    I’d be far more concerned about somebody using that piece of paper (which has to be stored near the computer) than about somebody hacking my password. It is much easier for me to use the same password for 135 different web sites than to have different passwords for each, which I then have to write down.
    (And yes, I have different passwords for banking websites, but that is the exception, not the rule.)

  • http://lighthouseinthesky.blogspot.com/ Anne

    Of course I use my cat’s name as a password! She’s called “k7;m2H8l” and I change her name every six weeks.

  • MIkE

    Here you can find nice method for custom and good paswodrd creation http://www.goodpassword.info/how_to_create_a_password.php

  • http://thisisalzheimers.com Manish

    Its not surprising then that so many people keep getting their email accounts hacked into

  • ChristianK

    You can combine one strong password that you remember with different suffixes for different websites and write down those suffixes on a piece of paper.


Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

Gene Expression

This blog is about evolution, genetics, genomics and their interstices. Please beware that comments are aggressively moderated. Uncivil or churlish comments will likely get you banned immediately, so make any contribution count!

About Razib Khan

I have degrees in biology and biochemistry, a passion for genetics, history, and philosophy, and shrimp is my favorite food. In relation to nationality I'm a American Northwesterner, in politics I'm a reactionary, and as for religion I have none (I'm an atheist). If you want to know more, see the links at http://www.razib.com


See More


RSS Razib’s Pinboard

Edifying books

Collapse bottom bar