Top 25 common, attackable passwords: Stop using 'ninja' and 'jesus'

Top 25 common, attackable passwords: Stop using 'ninja' and 'jesus'

Summary: New data has revealed the 25 most common and easily crackable passwords on the web -- is yours on the list?

TOPICS: Security

Security threats may become more complex and sophisticated, but our password choices don't follow the same pattern.

hackable passwords top25 qwerty ninja jesus

Security software developer Splashdata has released its annual list of the worst -- and most common -- passwords used on the web in 2012. Worryingly, very little has changed from 2011, where "password", "123456" and "12345678" are still in the top spots -- although Trustwave placed "Password1" in the top three slots last year, whereas it's a new addition in Splashdata's version.

In addition, several new arrivals in the top 25 awful passwords are "jesus", "welcome", "mustang", and sadly "ninja".

According to PC World, the data is based on file dumps from online hacking campaigns, which include high-profile security breaches suffered at Yahoo, LinkedIn, eHarmony, and

Here is the complete list, including places going up or down:

  • 1 password Unchanged
  • 2 123456 Unchanged
  • 3 12345678 Unchanged
  • 4 abc123 Up 1
  • 5 qwerty Down 1
  • 6 monkey Unchanged
  • 7 letmein Up 1
  • 8 dragon Up 2
  • 9 111111 Up 3
  • 10 baseball Up 1
  • 11 iloveyou Up 2
  • 12 trustno1 Down 3
  • 13 1234567 Down 6
  • 14 sunshine Up 1
  • 15 master Down 1
  • 16 123123 Up 4
  • 17 welcome New
  • 18 shadow Up 1
  • 19 ashley Down 3
  • 20 football Up 5
  • 21 jesus New
  • 22 michael Up 2
  • 23 ninja New
  • 24 mustang New
  • 25 password1 New

In comparison, an analysis of the Yahoo hack from earlier this year found that the top ten common passwords were:

  • 123456 = 1666 (0.38%)
  • password = 780 (0.18%)
  • welcome = 436 (0.1%)
  • ninja = 333 (0.08%)
  • abc123 = 250 (0.06%)
  • 123456789 = 222 (0.05%)
  • 12345678 = 208 (0.05%)
  • sunshine = 205 (0.05%)
  • princess = 202 (0.05%)
  • qwerty = 172 (0.04%)

According to research from Norton, nearly half of Internet users do not use a complex password and over 25 percent of adults online have been notified to change their password when an account has been compromised. In addition, 46 percent of users aged between 18 and 64 don’t use a password that combines phrases, letters, numbers, symbols and caps or lowercase -- which are more difficult to infiltrate.

The simple fact of the matter is that if you choose a password which follows a simple pattern or is an obvious word, not only will it be easy for you to remember, but it will also be easy for simple attacks to breach your personal security.

In order to create a secure password, you should consider avoiding easy keyboard patterns -- such as 'qwerty' or '123', mix capital and lower-case letters, and keep them varied. A difficult-to-guess memorable word, such as a book character or favorite food would work better than 'password' or 'letmein', and switching word orders will boost the security of your online accounts further.

Image credit: Splashdata

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I noticed

    ...that NinjaMonkeyJesus is not on that list, so I'm still good.
    • Thanks alot

      I just spit my coffee all over my monitor
      • I'll second that...

        I snarfed some of my lunch up my nose.

        I guess password length limits prevent old favorites such as "god", "dog" and "cat" from being on the list.
        • Good passcode

          I spit soda on my keyboard. I was thinking a little different though. Monkeyninjajesus is not there either, so I'm good.
  • In my office

    the most common password is SexyBoy1
    • yeah... it use to be..

      yeah.. it use to be SexyBoy "... but now they make you add nuuuuumber" said Chow.
  • Whew

    I didn't see drowssap, so I'm okay then.
  • How about

    A few clients favorites:

    first part of email address for email accounts
    supportxx (xx=some number)
  • Passwords

    I don't even know my passwords. I use an process to produce complex passwords, keep them in a secure password safe, and paste them into password fields.
    • Double Secret Passwords

      Tricky ...und shneaky.
    • Passwords

      And if you are away from your computer and need access?
    • Passwords

      Heybb_apptix. I bet you write the password down next to your keyboard too?
  • How about this...

    I type all my password in a white font so they can't be seen.
  • Seriously though..

    We should stop calling them "passwords" and start using "passphrase" or "Passcode". This will help drill into people that words, *any words*, are a bad choice.
    • Passphrase

      and then users could use actual phrases: "battery horse correct staple"
      • A variation of passphrases is a slick new tool partly inspired by the xkcd comic strip you're referencing. (It's also an homage to old CompuServe two-word passphrases.) It automatically makes harder-to-crack passwords that you can remember, it's a free public service, and it's fun!
  • Passwords

    Passwords are a pain in the backside. Most people aren't going to use a complex, hard to type, (and harder to remember). If they DO, then they will need to write it down, which is worse than picking some obscure word that means something to only that person. Maybe someone will develop a workable, and simple way to use fingerprints, in place of passwords.
    • long phrases

      are easy to remember and harder to crack
      • passphrases...

        Unfortuantely too many sites/systems do not allow enough characters to use a strong passphrase.
    • Passphrase - not hard to type or remember

      Example given at a security conference (so this is no doubt one of the first crackers will try after the top 100 easy ones.) CockerSpanielsAreGoodForBreakfast
      easy to type and easy to remember of course you'll need those numbers and/or symbols as required. reversal of words and misspells makes it a little tougher CockerSleinaps1AreG00dFer2Festivasbrek