/ Technology

Top 10 weak online passwords – is yours on the list?

Online log in box

Look into my eyes, the eyes, not around the eyes, look into my eyes… you’re under. You must change your useless password from ‘123456’ to something tougher to crack. Three, two, one… you’re back in the room.

As obvious as that advice might seem, around half of us use the same (or very similar) passwords for all the websites we log into. But worse than that, many of these passwords are weak and easy to guess.

I won’t lie, I only use around four passwords for all my online accounts. And I don’t change them anywhere near as often as I should – though I do like to think that they each sport a relatively secure combination of characters. But not everyone’s that careful.

Password = ‘password’

Data security firm Imperva has found that almost a third of us use passwords with six characters or less. And then around half bring names, slang words, dictionary words or ‘trivial’ passwords (such as adjacent keyboard keys) into play.

It’s these trivial passwords that are the most shocking, with the ten most common weak online passwords (based on leaked details from rockyou.com) being the following: 123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.

Sure, rockyou.com may not be as important to keep secure as your online bank account, but come on, make an effort! Our principal money researcher Martyn Saville had this to say about the discovery:

‘This research is breathtaking. If you’re going to use a password like “123456” or “password”, you might as well tattoo it on your forehead. There are enough threats to our online security around without making it so easy for fraudsters to steal your identity and your cash.’

How to secure your password

So, what should you do to create secure passwords when you’re online? If possible, use a different password for each website you visit (though I understand that it may be hard to remember all of them). Use a combination of numbers and letters, upper and lower case and even special characters (such as &%$£_). Avoid words that someone close to you could guess (like family names, birthdays, or nicknames).

And here’s a savvy tip from security expert Bruce Schneier:

‘Take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.’

So what’s the most un-secure password you’ve used? Oh, and only reveal your rubbish password if you’re no longer using it. I didn’t need to tell you that did I?


If the information about weak passwords related to banks or online retailers it would be worth setting up a Which? Conversation about weak passwords. It is hardly surprising that weak passwords are used for access to sites provided for entertainment.

I had not heard of rockyou.com until I looked it up. According to Wikipedia, “In December 2009, the company experienced a data breach resulting in the exposure of over 32 Million user accounts. In the controversy, it was revealed that the company failed to comply with the most basic security standards.” I wonder if any of the 32 million users lost money because they had used the same password used for their bank accounts.

How about getting some inside information from banks or building societies, and if there is a problem with weak passwords then that would be a better story and something more worthy of discussion.


I tend to use a Password keeper (RoboForm) – until I forgot the access password for that…
However before I forgot that password, I counted the number of passwords I had – 78!!

Do I get a prize? 🙂

What tickles me the most though is how much fun can be had with passwords. Yes, for real.
I often use rude passwords, cheeky passwords – things like (not currently in use)

They keep me amused each time I move around the http://WWW.


78!? That certainly is a record, why would you need so many?


Patrick, I had to ask myself that too! It was a sizeable shock 🙂

A great number of them were “unimportant” – Stumble, YouTube, TED.com etc.

However, a reasonable percentage of others were important – PayPal, my bank, my email etc, etc.
I am a prolific internet user with a vast array of interests which no doubt contributes enormously to this ridiculous figure.

However, I am also proportionately mindful of my own security – particularly as I have previously been on the receiving end of online “hacking” (I had a remote tracker uploaded to my system some years ago & found a multitude of sites – email, Facebook etc – being ‘adjusted’ by a malicious individual. Absolutely horrid experience)

I appreciate this original article because whilst we might be failing ourselves presently, with sufficient awareness, others may pause and upgrade their next password. I hope so.


Well, good on you. Certainly enviable. In fact, your prize for having 78 passwords (despite Mike saying he has more below) is that we’ve made you our Comment of the Week. You’ll be featured on our homepage for a full seven days! Congrats.


Goodness Patrick. Thank you.
I confess to feeling rather honoured! 😀

Gavin Mitchell says:
8 March 2011

tlpWENT2m will now be in everyone’s password list.

And there will almost certainly be people who start to use it on the recommendation – just like how lots of people were found to be using the sample National Insurance number when they were first released.


Yes, I’d try a different nursery rhyme if I were you.

Fat Sam, Glos says:
8 March 2011

I try and use a different password for each service. On the surface that sounds difficult but there is a method to how I can remember most of mine!

Think of a theme which has many words (e.g your favourite films, authors, countries, football league teams, US states, you get the idea) – and then link the name (or letters in certain positions) of the service to a word in your theme and then add a number.

E.g. if your theme is Football League Teams in England, you may decide that all your passwords will start with the second letter. So, your Which? password might begin with the letter ‘H’. Your password might then be HartlepoolUnited1888 (capital ‘H’ and ‘U’, the rest lower-case, followed by the year the Football League was founded – 1888, for extra security). You then apply this rule to all your other services – you may use the number 1888 in all your passwords, for example.

You can keep a list of these words in an obscure file that no one would think was a list of your passwords. E.g a file containing the names of every football league team in England (or add Scotland, Wales and Northern Ireland for added security). Doesn’t have to be football – I’m merely using it as an example to illustrate my method – it can be anything you like but it helps if you’re interested in that subject as this will aid memory. You may get some duplication but you can amend the rules or live with it.