
25 Most Common Passwords of 2015 - mkelleyjr
http://abitofabyte.blogspot.com/2016/01/25-most-common-passwords-of-2015.html
======
wfo
All of our hard work convincing people to think of longer passwords has
finally convinced the populace to type 'qwertyuiop' instead of 'qwerty' when
they're asked to make an account for a service they don't care about.

The best way to improve password quality at least looking at it from the
perspective of a user with my habits is to wait to have me make an account
until I actually want the service. If I have to think of a password in order
to try something out for the first time it's going to be the most inane
garbage because I simply don't care/can't be bothered to think of some secure
phrase to protect nothing.

~~~
odonnellryan
I've used 1qaz2wsx for throw-away accounts. I mean, come on... I create at
least one new account a week! >:(

~~~
wahsd
What annoys the hell out of me is this constant insistence on creating
accounts or even connecting your social media account.

How about just making your damn service/product good to where once people are
hooked in they will actually want to create the account when they are damn
well ready.

~~~
odonnellryan
Exactly! I've been working on my own app for a bit; once I go live I
completely intend on having gradual sign-up. You'll have a session. You can
use the entire app, but if you want to safe your stuff you better register ;)

------
rogeryu
Direct link to the relevant article on Gizmodo:

[http://gizmodo.com/the-25-most-popular-passwords-
of-2015-wer...](http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-
all-such-id-1753591514)

The linked article does nothing more than link to that article and include a
link to a "convenient" text file with the top 25:

123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567,
baseball, welcome, 1234567890, abc123, 111111, 1qaz2wsx, dragon, master,
monkey, letmein, login, princess, qwertyuiop, solo, password, starwars.

~~~
dhimes
He also messes up: the first "password" is all letters; the second one (near
the end) substitutes a 0 for the o "passw0rd"

EDIT: Oops, I didn't see dmichulke's post saying the same thing. Here's the
reference:
[https://news.ycombinator.com/item?id=10930521](https://news.ycombinator.com/item?id=10930521)

------
iamthepieman
I often either reuse a simple password or use a stupidly simple one for sites
that require a signup but for which I do not care to interact with in any
meaningful way.

Have to create an account on some new startups app?

username: newstartupname_myname

password: 12345!

need to sign up for a "trial" account to get access to content I probably
don't even want? same thing.

so while I'm sure that there are way too many people using 123456 for their
insurance or financial service login, does it really matter that someone's
password to Cnet or foodnetwork is simple and easy to guess?

~~~
realusername
Same on my case, if the account is essentially useless I do exactly this. I
put the same username and password with a dedicated email for this kind of
things.

~~~
noobie
Reddit-esque but _Relevant username!_

------
Kootle
The author, some of the comments here and especially the author of the Gizmodo
article seem to lament the fact that passwords aren't stronger. I have no idea
about whether or not that is justified, but a list of the most common
passwords is in no way reflective of average password strengths. A good
password is probably unique in the world so by definition the only passwords
on this list are those that are trivially easy to come up with. A more
interesting statistic, I think, is what percentage of the world's passwords is
'123456'.

~~~
connoredel
This is a good point. If these are each used by 2 people, it's not very
interesting. It's sort of implied by the attention these stories get that the
problem is much bigger than that, but I agree the story is incomplete without
the magnitudes. And for the rest of us, we should care about the _trend_ of
the % population using common passwords. In order to be safe, you probably
need to stay above some constant level that is "good enough" for any hacker
trying patterns or brute forcing. As the bottom gets more secure after reading
articles like this or adopting password managers, we all need to step up our
game. The first to go will be people who do things like:

\- put a capital letter first and only first when a capital letter is required

\- put a special character last and only last when a special character is
required

\- put a number next to last and only next to last when a number and a special
character are both required

These will be the next patterns tried after the most common passwords,
dictionary attacks, etc. -- and if you stay ahead of _these_ people then
you'll be good for a while.

------
salmonet
>Every year, SplashData complies a list of the millions of stolen passwords
made public throughout the last twelve months, then sorts them in order of
popularity.

The title should be most commonly _stolen_ passwords of 2015. It isn't very
surprising to me that easy-to-guess passwords are the most stolen.

~~~
lampington
Depends how they're stolen. If a site that wasn't using unsalted hashes for
storing them was hacked, then it doesn't matter how guessable they are.

------
svckr
_One that did catch my eye was 1qaz2wsx_

 _Take a look at your keyboard to see that one. While it has potential, it
could be a little longer. It is still the strongest one from the list though._

How so? It could be a 100-character string of seemingly random symbols; if
it's at the top of the list, it's not a strong password.

~~~
piyush_soni
It might be a 'strong' password according to these stupid 'password enforcers'
on websites which think they're smart enough to decide for us.

~~~
logfromblammo
Not quite. That password would be "1qaz@WSX".

You see, you need a number _and_ a special character, a lowercase letter _and_
an uppercase character.

------
50CNT
I think there's still way to many things that require dedicated accounts out
there, and that erodes our ability to create secure passwords.

I think I can handle 3-5 passwords on sites I use on a regular basis just
fine. The next 10 sites, and I misremember things. Past that every visit that
requires a login is me going through the "forgot password, request password,
log into email, wait for password reset email, click link, reset password,
have it slip my mind again, reset password again, log in" cycle that may take
anywhere from 10-30 minutes of my time.

But having to come up with new passwords for these website makes me lazier
with them. I want a chance to remember it given low repetitions, so I follow a
pattern. I might not want to type a long complicated password in twice, so I
make it shorter. I might start reusing it. There's only so much space in my
head I'm willing to dedicate to remembering passwords and usernames, so I
start to compress things, and this becomes habitual. Against all better
knowledge, even some of my more important passwords become trivial to guess.

Now as someone who is running a low usage frequency website, you could say to
yourself: "User error, not my problem". You could imagine a pretty world with
unicorns and users who remember their passwords for your risotto blogs comment
section, and that they parkour through your login experience, straight from A
to B. It says one-click login on the tin, didn't it?

No,I think requiring login at all should be a conscious design decision you
have to make before you ever boot up the old Apache. Is it necessary, can you
offload it to third parties, or if you do it, at what point it starts being
necessary. Take a sober look at whether your website is one of the 5 I'll use
often enough to remember the password for, and if it isn't, keep it in mind
when deciding what to put on which side of the login wall.

------
ins0
Reminds me every year that i should change my password to "INVALID" and
everytime i try to login with the wrong password, i get a nice reminder.

 _" Wrong Password - Your password is invalid"_

 _slow clap_

~~~
nashashmi
That's a great idea: Take the error message and make that the entire password.

~~~
hartator
lol you might get into trouble if they change the error message in the
meantime!

------
drzaiusapelord
This is a well studied area and never a surprise. What I haven't seen is a
list of common passphrases or common android swipe patterns or common iphone
PINs. Is anyone working on this stuff?

Its also 100% shameful that I can't just shove this list into Active Directory
and deny these passwords to end users. I can turn on complexity or length, but
nothing else. So today's "password" will be tomorrow's "tobeornottobe" once we
all migrate to passphrases/12+ minimum character passwords.

Also this is blogspam citing other blogspam. The source is SplashData and they
release this analysis every year.

~~~
herbig
Yeah I just Googled those and they're all available.

Denying passwords would just lead to adding 1 to the end and calling it a day.
We shouldn't really put any limitations on passwords users use.

------
dmichulke
The second _password_ in the txt is written with a 0

~~~
CleanCoder
I was wondering about that repetition.

------
schnevets
The thing that drives me crazy about sequential passwords like 1234567890 and
qwerty is how obvious it looks when typing it out.

Don't you want to at least provide the illusion of security? And even if you
have no concerns about the account being compromised, are you really able to
write "qwerty" faster than your first name?

------
overcast
I'm seriously tired of dealing with passwords. With the availability of email
on everything including your toaster. Every site should offer token based
authentication. I used passwordless on my last side project, and it's super
convenient.

------
agentgt
I guess the key is (pun not intended) is stolen passwords and not systems that
have not been setup because I bet particularly wifi and various systems
"guest", "admin" and "demo" would be high up on the list.

------
calvins
I wish they would include how many times each password was used. Those top 25
representing 50,000 out of a million passwords means something very different
than if they represent just 1,000 out of a million.

Comparing the proportion of the million passwords that are accounted for by
the top 25 (and top 100, top 1000, etc.) year to year also gives a much better
measure of whether public behavior is improving than just seeing if the top 25
are obviously poor passwords.

------
stn
Meanwhile I find myself somewhat worrying about my unique, 32-character
passwords because _quantum computers_

------
jimktrains2
> Hopefully, 2016 will bring much stronger passwords to the general public,
> but going off of previous years, I have my doubts.

Hopefully, 2016 will bring better methods of authentication to the general
public, but going off of previous years, I have my doubts.

------
delinka
The second "password" in this blog's list should be "passw0rd"

------
wgx
Dropbox open-sourced a realistic password estimator called zxcvbn which is
excellent;

[https://github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn)

------
nashashmi
The next set of seemingly random passwords will be anything sequential on
qwerty keyboard.

Like: 1qaz2wsx3edc4rfv5tgb6hn7ujm8ik,9ol.0p;/

Or variants in reverse.

~~~
nashashmi
And google has a new list: (see end of page)

[https://www.google.com/search?q=1qaz2wsx3edc4rfv5tgb6yhn7ujm...](https://www.google.com/search?q=1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik)

------
Pinatubo
Where does correcthorsebatterystaple rank?

------
daveguy
I get how all of these are common easily remembered passwords that people
would use, except for this one:

1qaz2wsx

Where did that come from as a "most common" password? Hah! Nevermind. I just
looked at it on the keyboard. Posting anyway for fun.

I used to think "come up with a pattern on the keyboard" was a good plan, but
apparently it is fairly common. Glad I use a password manager now (passpack).

------
izzydata
How are these gathered? Does this guy have some site he owns where he checks
common hashes?

