The worst passwords of 2013 - and there's a new number one


Log-in box on computer screen

Every year SpashData looks through the millions of passwords stolen by hackers over the previous 12 months and uses them to identify the worst (and most commonly used) passwords of the year. Every year we see the word 'password' at the top of the list, but this year it has been overtaken.

So what's the worst password now?


The company identified the biggest howler as 123456. It gained the title because it is the most commonly used out of all the passwords the company assessed. It is also incredibly easy to guess, so a hacker would not have to try very hard to get into your accounts.

The fact that this has overtaken the word 'password' for the top spot means we understand the need to protect ourselves - it's just that we haven't worked out how best to do it.

The word 'password' made it to number 2, followed by 12345678, qwerty, and abc123. Out of the top 25 there were 10 strings of easy-to-guess numbers. Other than that, there were strings of letters as they appear on the keyboard, combinations of letters and numbers such as 123abc, and words such as monkey and princess.

The list was also influenced by the fact that it included a number that had been stolen from Adobe users, so included words like adobe123 and photoshop. "Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," says Morgan Slain, CEO of SplashData.

The worry here is that so many people are leaving themselves open to the possibility of hacking. As we reported last year, anyone opting for anything from the top five is very likely to fall victim in future.

The full list is:

1. 123456
2. password
3. 12345678
4. qwerty
5. abc123
6. 123456789
7. 111111
8. 1234567
9. iloveyou
10. adobe123
11. 123123
12. admin
13. 1234567890
14. letmein
15. photoshop
16. 1234
17. monkey
18. shadow
19. sunshine
20. 12345
21. password1
22. princess
23. azerty
24. trustno1
25. 000000

Protect yourself

Slain added: "As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

The list gives us a number of tips for types of passwords to avoid, including strings of letters and numbers, the name of the application you're accessing, and common words or phrases.

If you're trying to build a strong password, you should always go for at least eight characters, and mix both letters and numbers.

A common approach is to take a word and substitute some of the letters for numbers, such as 5umm3r. However, the company warns that this can be vulnerable to attacks too.

Splash recommends: "One way to create more secure passwords that are easy to recall is to use passphrases - short words with spaces or other characters separating them. It's best to use random words rather than common phrases. For example, "cakes years birthday" or "smiles_light_skip?""

Alternatively you can take a phrase you find memorable, and use the first letters from each word. So "I'm too sexy for my shirt, so sexy it hurts' (from the Right Said Fred classic) can become the hard-to-guess "i2sfmsssih'.

The company also says it's important to avoid using the same username/password combination for multiple websites. If this proves unmanageable, then at the very least you ought to have different passwords for things like banking than you do for your email.

Alternatively you can use a password manager, which can automatically create difficult passwords and then log you into your sites - there are a number of these on the market.

The biggest scams of 2013

The biggest scams of 2013