Ransom Riggs
Don’t tell us your password: the top ten
by Ransom Riggs - May 21, 2007 - 10:52 AM
lock-picking-5.jpg

Passwords rule our lives. You need one to access your computer, your email, your bank account, and on and on. To make matters worse, there are hordes of thieves and hackers out there trying to get the virtual keys to our online kingdoms, via phishing, the hacking of corporate databases, spyware, etc. So why is it, then — despite ubiquitous warnings to the contrary — that so many people still make their passwords simple, intuitive, and use the same ones over and over for years at a stretch? The simplest answer, which via Occam’s Razor is probably the correct one, is that we’re just lazy. If that’s the case, and you can’t bring yourself to memorize eight randomly-generated numbers and letters strung together rather than using the name of your family pet to secure that million-dollar 401k account, then at least take our advice and avoid these most commonly used passwords:

10. [The user's first name.] In Britain, the tenth most common password is “Thomas,” which in 2000 was also the second most popular name given to male British children.

9. blink182. Lord knows, Blink182 isn’t the most popular band in America. We’re betting it has something to do with the fact that it combines numbers and letters, which many password engines require of new passwords these days. Just don’t do it, people — the band, or the password.

8. password1. Lazy, lazy lazy.

7. myspace1. This is likely a testament to the staggering number of people that have MySpace.com accounts, all of which require a password. (We think it’s up to about 177 million now; that’s how many friends MySpace co-founder and face-of-myspace Tom Anderson has. And everybody is Tom’s friend.)

6. monkey. This one baffles us a bit. 1.33% of all passwords are “monkey,” which may be because a) it’s six letters long, the minimum number allowable in most passwords, b) easy to remember and c) the keys required to type it are spaced out in a way that makes typing it quick, and actually, sort of pleasant. (Monkey. Monkey monkey monkey. I could type that all day.) If there’s some other reason that millions of Americans use this as their password, I’d rather not know about it.

5. letmein. I guess there’s a certain power thrill in commanding a site to “letmein” and then being obeyed?

The top four passwords are so mind-numbingly lazy they require almost no comment. They are:

4. abc123

3. qwerty

2. 123456

1. password

Let’s just hope that people using any of the above four passwords don’t really care if their respective accounts are safe or not. I’ll admit to making up crappy passwords like, say, “password” when forced to register for a website that I’m only ever going to view once, and on which I leave basically no personal information. But statistically, it’s a sure bet that somewhere out there are nuclear secrets or marriage-ruining emails flimsily protected with a mere “123456.” Don’t let it happen to you!

Thanks to our friends at Howstuffworks for the cool close-up of a lock!

« Previous Post   -   Next Post »
Click here to get a Risk-Free issue of mental_floss magazine
Comments (35)

  1. Somewhere I read some great advice on how to come up with different, tricky passwords for all your needs — and still be able to remember them. You take a number you can remember easily (for the sake of this example, let’s pick the year, 2007) and then you combine that with the beginning (or end or whatever you want) of the name of the site, so your Amazon password might be something like ama2007, your yahoo passoword might be yah2007, etc. I made mine even trickier by mixing things up a bit, but I use the same formula for each password, so I can recreate all of them without having to consult a list.

    posted by Karen on 5-21-2007 at 11:37 am

  2. Thanks, Karen. Someone will be bye later to check out your PayPal account. Let’s see…pp2006…pp2007…

    ;-)

    posted by El Queso Grande on 5-21-2007 at 11:42 am

  3. I thought the most popular password was ******. I see people use it all the time!

    posted by Miss Cellania on 5-21-2007 at 11:57 am

  4. We had to take a ‘security’ mini-class here at work and one section was on passwords. The recommendations were to make up a phrase you could remember that was related to the site/account. Substitute $ for S, substiture 4 for the word ‘for’, zero for ‘O’ etc. So if I had a ‘mentalfloss’ account I would use the phrase ‘Jane’s key for her Mental Floss Account Stuff’ would translate to Jk4hMF$ – 7 digits, mix of caps, nationals and numbers

    posted by JaneM on 5-21-2007 at 12:01 pm

  5. The only way to be safe is to have a different, unique password for every single account. JaneM pointed out a way to make one – but think how many you’d need to invent (and remember) to have a unique one fro every single site.

    I know that sounds impossible to remember. In fact, it is impossible without a password manager – a place to store all of the login/password/link combinations so that you can look them up when you need them, and not worry about them when you don’t.

    The whole kit-and-kaboodle is encrypted with a master password, which is the last one you’ll have to remember, and should be guarded with your life (well, almost).

    In addition to this basic set up, most password managers also include a series of other tools. A common feature is a password generator so that you don’t have to think up new passwords all the time, but rather just click the button and let the software invent something for you.

    I am a founding partner at PassPack, an online password manager. It’s a free service.

    However, even if you’re not interested in PassPack, there are plenty of other password managers out there. Please consider choosing one, and using it. Really, it’s the only way to be safe.

    Cheers,
    Tara Kelly
    PassPack.com

    posted by Tara (PassPack) on 5-21-2007 at 12:17 pm

  6. Really, the only way to be safe is to have single use passwords and multiple verification methods. ATMs use multiple means of verification, you have to have something (a card), and know something (a pin). To make it more secure the pin would only be used once, and it would come from a small electronic device that is synched with your bank. Even more secure would be to also use biometrics.

    However with all security measures you have to consider the cost of security vs. the value of the assets you are protecting. If your bank account only has $3.25 left in it, you might as well use password as your password, how much damage can someone do with $3.25. If you’re protecting national security secrets, or a $300,000 investment portfolio you might want to spend a little more on security.

    posted by Scott on 5-21-2007 at 12:54 pm

  7. My passwords are all based on patterns I find on the keyboard–I probably couldn’t even tell you the passwords unless I watched myself type them.

    For example: k0s2#J(D has a pattern to it (it’s not one that I use). But I found a nice easy to type pattern many years ago and have been modifying it for each new password.

    posted by Eric on 5-21-2007 at 1:19 pm

  8. I guess my work wants us to be more secure so they have some rules that are apparently built into the password setting process and if it’s a dictionary word, name or something else simple it just wont let you use it (in addition it has to be however long and use at least 1 symbol). It would not let me use qwerty which okay I understand, so I tried dvorak (which I’m not even sure how to ‘spell’ but it shot that down too so I was kind of impressed.

    posted by Mev on 5-21-2007 at 1:57 pm

  9. I use slightly misspelled words. They’re usually fairly common words, but misspelled in an odd way (it almost looks correct, but not quite). I also use numbers that I remember, but that aren’t common- like the zip code from an old address.

    posted by greenstrawberries on 5-21-2007 at 8:37 pm

  10. Shakespeare may be responsible for all the MONKEY passwords. If each of us “humans” were to type on a keyboard for our lifetime, do you think we could write a Shakespearean play?
    The MONKEY password is nothing more than a play on that concept.

    posted by LindaW on 5-21-2007 at 9:20 pm

  11. i like using my name backwards, and if i neeed numbers too i just use my address. So if your name was john and you lived at 123 fake st you could just do nhoj123

    posted by josh on 5-21-2007 at 9:24 pm

  12. I tend to use either Bible verse references or mashups of dates associated with people or places from history or people I know. Then to add an extra twist, I’ll throw in special characters to replace some of the alpha characters (1 instead of i or l, 7 instead of t, 5 instead of s, etc…) It’s worked well so far…

    posted by Dave on 5-21-2007 at 9:31 pm

  13. @Scott
    Sorry, let me be more specific: The only way to be safe, considereing the exact state of affairs in which not every single website allow for continual one time password generation and multiple verification methods, is avoid ever reusing a password. That’s possible with the way things are tight now.

    Not reusing passwords = lots of them to remember.

    Lots of passwords to remember = need a place to store them.

    A place to store passwords = a password manager.

    Therefore the only way to be safe is to use a password manager. :)

    @greenstrawberries & dave
    Yes, but I hope you have a unique one of these passwords for each and every website you visit. And if so – how do you remember which password couples with which website?

    Cheers,
    Tara

    posted by Tara (PassPack) on 5-22-2007 at 3:03 am

  14. At work, Password1 used to be the default for new or resetting user passwords. So many coworkers followed the Password2, Password3, Password4 pattern. Now becuase of SOX, we have to make the passwords different every month so people follow those passwords in a pattern (Cheetah5, Cheetah6, Cheetah7…)

    posted by Intergalactic Gladiator on 5-22-2007 at 8:30 am

  15. Last place I worked, they instituted a password-nanny system, that required each user to change his password every month; since I had nothing to hide, I just used the month names: October, November, etc (incl. May555, June66 to get six)

    posted by Art on 5-22-2007 at 9:25 am

  16. I use random words. Also I figured out that there are certain words you can type with one hand which is really cool when somebody is looking over your shoulder and you’re trying to enter your password…

    posted by Becky on 5-22-2007 at 11:14 pm

  17. i like typing the word “monopoly.”

    it’s not my password for anything though.

    posted by pc on 6-20-2008 at 4:17 am

  18. also, am i the only one who’s starting to have problems remembering different usernames, much less passwords? :P

    posted by pc on 6-20-2008 at 4:27 am

  19. I tend to use obscure character names from sci-fi shows or movies combined with numbers. The names are very rarely a recognizable word so all I have to do is remember what character belongs to what account. For the more sensitive accounts (banking, email), I’ll substitute numbers or symbols in for letters to make it even less recognizable.

    posted by joopiter on 6-20-2008 at 8:37 am

  20. I like to pick long words that I think are fun to say (or type)… like “pontification” for example. It’s long enough to use, to odd to be easily guessed, and I can type it quickly. If I need to use a combo of numbers and letters, I tend to pick two random short words and stick a number I like at the end, like “hotnugget007″.

    I actually have a different password for every single account I have, all random, but I’ve never forgotten a single one. Go figure.

    Tip: It is a good idea to change your passwords every now and then.

    posted by Liz E. Liz on 6-20-2008 at 8:58 am

  21. Makes me think of Spaceballs.

    “12345? That’s the stupidest combination I’ve ever heard of in my life! That’s the kind of thing an idiot would have on his luggage!”

    posted by Suzy on 6-20-2008 at 9:15 am

  22. Lately i’ve been picking quotes or sentences from books, using the first characters of each word. For example, “Catch-22: It was love at first site.” – the password would be “C-22Iwla1sts.” That contains everything: 2 capital letters, 2 punctuation marks, 3 numbers, but it’s very easy to remember.

    Or this classic, which someone can probably guess: “Iwtbot,iwtwot”

    posted by Joe on 6-20-2008 at 9:24 am

  23. I use band names and band members, movie names, characters, etc….but I use the number keys as letters (2=@, 3=E, 0=o)

    I have to change mine at work monthly, the one I just changed was b32tl3s (beatles)

    posted by Kristi on 6-20-2008 at 10:50 am

  24. My use of unique, creative, and “strong” passwords causes me to be entirely incapable of remembering why I thought I would be able to remember my unique, creative, and stong password.

    Consequently, access to most of my secure sites come from clicking on “Did you forget the Password?” link and answering my “security question”

    posted by Florida on 6-20-2008 at 10:58 am

  25. I have a “pool” of thematically-related passwords that I use for most sites and applications, and two that I use for only very secure sites. This means that if I forget my password for a particular site, I have a few options I can try out. The downside is that I often use the same password for different sites, but only for ones that don’t involve personal or financial information. I suppose if someone discovered my very esoteric interests they might be able to figure out some of my passwords, but they would have to know me very well first.

    posted by Jacy Blitz on 6-20-2008 at 11:09 am

  26. One of the passwords I used for a bunch of stupid sites back in high school is on that list. I know there was a phase I went through where I just wanted to see how many email accounts one person could have. It made me wonder how much of it was my fault that the word showed up?

    Last night I couldn’t even view my cable bill because I don’t know the password any more . . .

    posted by cj on 6-20-2008 at 11:27 am

  27. I’m one of those naughty ones that have used almost the same type of password for years. Granted, it’s a mix of my friends names back when I was in high school, but still. I’ll change one or two things with it once or twice a year, more if I’m signing up for something big. It’s not like I have much to protect anyway, since I’m in college.

    My ex boyfriend (the first one) is worse. He told me his password years ago, and he hasn’t modified it at all. I could type it here right now and everyone could get into his email, myspace, bank info, etc. I won’t, though, because I’m not that vindictive. The only one of his that’s different is the one for his yahoo account and that’s because, when he signed up for yahoo, it made the password for you. Amazingly, with his lack of creativity usually, he always remembers it.

    posted by Nicole on 6-20-2008 at 2:51 pm

  28. One of the most sucessful way of creating paswords is to pick a random word from a different language, misspell it, and shove two numbers in somewhere. Hasn’t failed me yet :)

    posted by Teresa on 6-20-2008 at 5:47 pm

  29. 124356? Amazing! that’s the combonation for my luggage!

    posted by Emilee on 6-20-2008 at 10:11 pm

  30. Work requires 16-character passwords, minimum of 2-uppercase, 2-lowercase, 2 numbers, and 2 symbols. You can’t repeat any of the previous 24 passwords, each new password must change by 3 characters, and they are only valid for 60 days.

    I have 3 accounts per device (system admin, my admin, my user) on over 120 devices, no Active Directory, RADIUS, or the like. I hate my life.

    posted by Roger on 2-10-2011 at 7:25 am

  31. Back in the day when AOL used to send out those diskettes (and later the CD-ROMS), the passwords they used were two words that were completely unrelated to each other (like FLOUR-PILLOW; NANNY-WHEEL; or some such as that). Seems to me something like that would still work.

    And when you consider that the OED lists something like 220K words in the English language alone — and there’s no reason that you could not use words outside the English language as well — then factor in the numbers you could toss in should the site you’re accessing require an alpha-numeric password, I think even the CIA would have a hard time figuring out what you’re using.

    -”BB”-

    posted by Bicycle Bill on 2-10-2011 at 9:38 am

  32. the password is ‘swordfish’ (according to Groucho Marx)

    posted by Juan Grande on 2-10-2011 at 10:12 am

  33. Good one, Emilee. That’s how I spell my daughter’s name too!

    One way to a safe(r) password system is to use a rule to generate passwords for yourself. Here is the link from Lifehacker. Some good ideas in the comments too.

    http://lifehacker.com/#!184773/geek-to-live–choose-and-remember-great-passwords

    posted by Jon B. on 2-10-2011 at 12:25 pm

  34. I usually use an acronym made up of a band/artist’s name and a song title or lyric and add a number or symbol if necessary… For instance – Elvis Costello/What’s So Funny About Peace Love and Understanding becomes: ECwsfapl&u .. these seem to pass all of the “complex password” rules…

    posted by Susan R on 2-10-2011 at 3:13 pm

  35. @Miss Cellania:

    LOLOLOLOLOL

    posted by xanderjones on 2-10-2011 at 5:26 pm

Comment

commenting policy