Skip to content

Trending tags

Two recent studies confirm what we already know: Millions of not billions of people use some of the world’s worst passwords.

The UK’s National Cyber Security Centre looked the 100,000 top passwords from Troy Hunt’s Have I Been Pwned data set. WP Engine looked at two data sets, including on with 5 million mostly Gmail credentials from a 2014 dump. The results were similarly dismal. But both studies tried to get at some of the reasons why people continue to use such bad passwords.

For decades, cyber security experts have been advising people use strong, unique passwords for all accounts. Clearly that hasn’t been working. So let’s try something new. Let’s admit password advice isn’t working. Let’s talk about how to pick terrible passwords.

But first, some good news

On the same day the National Cyber Security Centre released their password study, it also published a survey based on 1,350 phone interviews of British people 16 or older. The results wouldn’t surprise anyone who has taken a look at how terrible people’s passwords are, but it does show that people generally do have good intentions and are aware of their limitations when it comes to cyber security.

Only 15% said they know a great deal about how to protect themselves online while 80% say that cyber security is a “high priority” for them. The intentions just don’t quite match the actions yet. While 3 of 4 users say they use a passcode on their devices, only 55% said they always use a “strong and separate” password for their email account. That’s better than 46% who always keep their software updated and 25% who always use two-factor authentication.

These are the basics of security your online identity. The most basic of the basics is a passwords, which still seem to be a problem for so many. So let’s look at the tricks the world’s most unsecured internet users rely on when securing – or not securing – their accounts.

1. Use one of these passwords.

123456, password, qwerty… All the classics are here. Pick any of these from the WP Engine study and hackers will be extremely appreciative.

2. Use a common word or name or band name or sports team.

The National Cyber Security Centre study doesn’t just give suggestions for terrible passwords, it shows us who some of the most popular bands and football teams are. blink182, 50cent, eminem, metallica and slipknot top the music choices. And liverpool, chelsea, arsenal, manutd and overton better hope they’re better at securing the goal than they are at securing accounts.

Want to make sure your kids have terrible passwords? Use the names ashley, michael, daniel, jessica and charlie and never teach them that using your first or last name in a password is a bad idea.

3. Just add a number at the end.

Lots of users must sense that their passwords suck but think they know how to fix that with almost no effort.

“Nearly half a million, or 420,000 (8.4 percent), of the 10 million passwords ended with a number between 0 and 99” WP Engine reports. “And more than one in five people who added those numbers simply chose 1.”

You probably aren’t making your weak password any worse by adding a number or a few, but you certainly aren’t making it much better.

4. Use a keyboard pattern.

There’s a simple reason qwerty tops almost every list of terrible passwords: Your fingers love to type it, likely because it’s a fundament of typing. But that’s not the only keyboard pattern that shows up again and again. Right behind qwerty is qwertyuiop then 1qaz2wsx then qazwsx and asdfgh. They look random but they’re not at all. Try them and you’ll see.

Criminals who study these password dumps are familiar with these hacky hacks and when they’re trying to crack your account, they run through them all and crack them quick—even if you add a 1 at the end.

5. Don’t use a password manager.

To be fair, picking strong, unique passwords for all your accounts is not that easy. How do you even know if your passwords are strong? One good sign is that you can’t remember them. Weak passwords are a snap to crack and remember. Strong ones aren’t.

So what do you do with dozens of passwords you can’t remember? Forget them and use a password manager instead.

A password manager protects all your passwords and helps you pick strong unique ones for every account. Password managers are simple to use and KEY—our password manager, which is included in TOTAL—is free on one device.

Unfortunately, most people haven’t caught on to this elegant solution. The National Cyber Security Centre found only 14% of users always use a password manager compared to the 53% who never do.

Until the simplicity of a password manager becomes more popular than the simplicity of terrible passwords, all the advice in the world probably won’t do any good.




Jason Sattler

02.05.19 3 min. read

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.