7 March 2011 / Technology

Top 10 weak online passwords – is yours on the list?

Patrick Steen Conversation Editor

Comments 26

Look into my eyes, the eyes, not around the eyes, look into my eyes… you’re under. You must change your useless password from ‘123456’ to something tougher to crack. Three, two, one… you’re back in the room.

As obvious as that advice might seem, around half of us use the same (or very similar) passwords for all the websites we log into. But worse than that, many of these passwords are weak and easy to guess.

I won’t lie, I only use around four passwords for all my online accounts. And I don’t change them anywhere near as often as I should – though I do like to think that they each sport a relatively secure combination of characters. But not everyone’s that careful.

Password = ‘password’

Data security firm Imperva has found that almost a third of us use passwords with six characters or less. And then around half bring names, slang words, dictionary words or ‘trivial’ passwords (such as adjacent keyboard keys) into play.

It’s these trivial passwords that are the most shocking, with the ten most common weak online passwords (based on leaked details from rockyou.com) being the following: 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.

Sure, rockyou.com may not be as important to keep secure as your online bank account, but come on, make an effort! Our principal money researcher Martyn Saville had this to say about the discovery:

‘This research is breathtaking. If you’re going to use a password like “123456” or “password”, you might as well tattoo it on your forehead. There are enough threats to our online security around without making it so easy for fraudsters to steal your identity and your cash.’

How to secure your password

So, what should you do to create secure passwords when you’re online? If possible, use a different password for each website you visit (though I understand that it may be hard to remember all of them). Use a combination of numbers and letters, upper and lower case and even special characters (such as &%$£_). Avoid words that someone close to you could guess (like family names, birthdays, or nicknames).

And here’s a savvy tip from security expert Bruce Schneier:

‘Take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.’

So what’s the most un-secure password you’ve used? Oh, and only reveal your rubbish password if you’re no longer using it. I didn’t need to tell you that did I?

Comments

wavechange says:

7 March 2011

If the information about weak passwords related to banks or online retailers it would be worth setting up a Which? Conversation about weak passwords. It is hardly surprising that weak passwords are used for access to sites provided for entertainment.

I had not heard of rockyou.com until I looked it up. According to Wikipedia, “In December 2009, the company experienced a data breach resulting in the exposure of over 32 Million user accounts. In the controversy, it was revealed that the company failed to comply with the most basic security standards.” I wonder if any of the 32 million users lost money because they had used the same password used for their bank accounts.

How about getting some inside information from banks or building societies, and if there is a problem with weak passwords then that would be a better story and something more worthy of discussion.

Cat says:

8 March 2011

I tend to use a Password keeper (RoboForm) – until I forgot the access password for that…
However before I forgot that password, I counted the number of passwords I had – 78!!

Do I get a prize? 🙂

What tickles me the most though is how much fun can be had with passwords. Yes, for real.
I often use rude passwords, cheeky passwords – things like (not currently in use)
“WhatTheHellWasIt”
etc.

They keep me amused each time I move around the http://WWW.

Patrick Steen says:

8 March 2011

78!? That certainly is a record, why would you need so many?

Cat says:

8 March 2011

Patrick, I had to ask myself that too! It was a sizeable shock 🙂

A great number of them were “unimportant” – Stumble, YouTube, TED.com etc.

However, a reasonable percentage of others were important – PayPal, my bank, my email etc, etc.
I am a prolific internet user with a vast array of interests which no doubt contributes enormously to this ridiculous figure.

However, I am also proportionately mindful of my own security – particularly as I have previously been on the receiving end of online “hacking” (I had a remote tracker uploaded to my system some years ago & found a multitude of sites – email, Facebook etc – being ‘adjusted’ by a malicious individual. Absolutely horrid experience)

I appreciate this original article because whilst we might be failing ourselves presently, with sufficient awareness, others may pause and upgrade their next password. I hope so.

Patrick Steen says:

9 March 2011

Well, good on you. Certainly enviable. In fact, your prize for having 78 passwords (despite Mike saying he has more below) is that we’ve made you our Comment of the Week. You’ll be featured on our homepage for a full seven days! Congrats.

Cat says:

9 March 2011

Goodness Patrick. Thank you.
I confess to feeling rather honoured! 😀

Gavin Mitchell says:

8 March 2011

tlpWENT2m will now be in everyone’s password list.

And there will almost certainly be people who start to use it on the recommendation – just like how lots of people were found to be using the sample National Insurance number when they were first released.

Patrick Steen says:

8 March 2011

Yes, I’d try a different nursery rhyme if I were you.

Fat Sam, Glos says:

8 March 2011

I try and use a different password for each service. On the surface that sounds difficult but there is a method to how I can remember most of mine!

Think of a theme which has many words (e.g your favourite films, authors, countries, football league teams, US states, you get the idea) – and then link the name (or letters in certain positions) of the service to a word in your theme and then add a number.

E.g. if your theme is Football League Teams in England, you may decide that all your passwords will start with the second letter. So, your Which? password might begin with the letter ‘H’. Your password might then be HartlepoolUnited1888 (capital ‘H’ and ‘U’, the rest lower-case, followed by the year the Football League was founded – 1888, for extra security). You then apply this rule to all your other services – you may use the number 1888 in all your passwords, for example.

You can keep a list of these words in an obscure file that no one would think was a list of your passwords. E.g a file containing the names of every football league team in England (or add Scotland, Wales and Northern Ireland for added security). Doesn’t have to be football – I’m merely using it as an example to illustrate my method – it can be anything you like but it helps if you’re interested in that subject as this will aid memory. You may get some duplication but you can amend the rules or live with it.

Mike Elliott says:

8 March 2011

78! Pah, I can trump that, easily double that.

But…I dont necessarily think this is a problem if you use a password manager. I also use Roboform and it deals with this complexity just fine. Longer term I think the better solutions that will emerge will be based around some shared trusted identity that can be accepted and used at many websites, some of these exist already in one form or another (FaceBook, Passport etc)

Personally I tend to align the password type and complexity with the sites for which I use them. e.g. for a site I’m not concerned about security, I might use something easy thats related to the site and easy to remember, for other things I want long and unique passwords or pass phrases.

I would advise strrongly against using the same password or even style of password for your bank website vs a local web forum etc.

Incidently, my Roboform subscription lets me access my full range of accounts and passwords from multiple devices, iPhone included.

Patrick Steen says:

9 March 2011

Yes, you’re quite right. We advise on using different levels of password, from high to low security, dependent on what you’re using it for. http://www.which.co.uk/technology/computing/guides/protect-your-online-id/passwords/

Simon Treen says:

8 March 2011

I’m with Mike on this one – I use Roboorm and certainly have more than a hundred passwords from simple one for silly web sites to horribly complex mixes of alphanumerics and symbols for banking and financial.

I only commit one to memory and that’s the master password for Roboform.

sealdriver says:

8 March 2011

I use 1Password as a password manager on my Mac. It also genrates passwords to your specifications so adding a different password to each site you use is easy as you don’t have to remember them. I’d recommend using a password manager regardless of the number or importance of the sites you visit.

Richard Emery says:

8 March 2011

I believe that a major problem with password security is the absence of one specific requirement by the Information Commissioner. He needs to write a rule: “that no organisation should ever send a user’s password to them by email.” I am simply astounded at the number of websites who send me an email with my user name AND password as soon as I register. Hey! I just keyed it in twice – I don’t need you to tell me what it is. If I forget then I will ask you for a reminder – but please don’t send me my actual password. Please send me a random set of letters and numbers or a special link that allows me to set a new password. And then, finally, 24 hours later please send me an email that simply says “yesterday you created a new password”. This will help me to know if someone else has compromised my security.

Ray French says:

8 March 2011

I use a variey of passwords now. Several years ago I used only two different passwords. Unfortunately, the web sites concerned, not bank accounts, do not allow me to change the passwords. This facility should be available on all web sites.

Mark, London says:

8 March 2011

The use of non alpha numeric characters greatly increases password strength so it is disappointing that so many websites where a strong password would be particularly important (HMRC for online tax returns, major banks etc.) only permit the standard 36 alpha numeric characters.

Patrick Steen says:

9 March 2011

Yes, that’s not a good idea. Why would they feel the need to limit it?

bechet says:

8 March 2011

I use a variety of passwords including my old army number ~ from 50 years ago.

Peter says:

9 March 2011

I use the registrations of cars I’ve owned in the past and, as I’ve had about 14 cars, there are quite a few to choose from. Current registration format is a mix of letters and numbers which satisfy most websites (you could even mix upper and lower case) and you will be the only person to remember them. Should you forget which you used, your password clue could be ‘red car’ or Renault as appropriate.

PM says:

9 March 2011

I read this suggestion once and have found it useful. Think of a phrase – ” I Keep My Socks In The Top Left Hand Drawer” and use the first letters. You can add a number at the end. You could have the first 3 words as capitals and the rest small . It seems to me that any password breaking software would have all place names and dictionary words as a matter of course.
This is what I advise children to do.

fat sam says:

10 March 2011

Password breaking software doesn’t need a dictionary – most will try any mathematical combinations of letters, cases, numbers and symbols. So the more you have the longer it will take. But if a site’s security is designed well then any attempt beyond about 3 or 4 will lock the account.

It’s those sites whose security is a little lax that you have to worry about…

Miss Pasko says:

22 March 2011

I am a little late to the conversation, but would like to add that I use *******, a small password saving programme. I keep it on a memory stick (and back that up to my external hard-drive now and then). It has one master password to unlock, and has a random password generator that can do different lengths and character parameters. I am trying to gradually change silly passwords to more secure ones.

I have over 100 passwords – more if you count that some sites require multiple codes! I do the bookkeeping/accounts for 3 firms, we have two computers at home, multiple websites for banking, pleasure, student finance, the library even! Everyone wants a password.

Miss Pasko says:

22 March 2011

Maybe the programme I use was filtered as sounding rude? It is Kee Pass – join it together!

Sorry!

Paul Williams says:

26 April 2011

Ok, so I’m shamelessly sharing a link to a free online password generation tool that allows users to create long, complex and memorable passwords. Hope readers to find it beneficial. http://safepasswordmanagement.com/online-password-generator/