# Worst passwords in the world

#### jes

New research from Trustwave’s SpiderLabs using around 2 million passwords reveals the most common passwords globally

#### LazyLion

##### King of de Jungle
Making complex passwords is really, really easy.....

Take all the initials of all the members of your family.....

George
Trudy
Jake
Sally
Fred

Spot
Bobbin

So now you have...

gtjsfsb

Capitalise the parents and the animals...

GTjsfSB

GTjsfSB(7@34)

GTjsfSB(7@34)LR

Then add the year that you moved into that house....

GTjsfSB(7@34)LR-1995

GTjsfSB(7@34)LR-1995/2043

Voila, you have a password that is easy to remember but will take ages to crack....

#### grim

##### Expert Member

Easier solution, make up a sentence that's easy to remember

ie: SpotWasFredsDogBobbinWasSallysDog

3 duodecillion years to crack that

#### Hamish McPanji

##### Honorary Master
Making complex passwords is really, really easy.....

Take all the initials of all the members of your family.....

George
Trudy
Jake
Sally
Fred

Spot
Bobbin

So now you have...

gtjsfsb

Capitalise the parents and the animals...

GTjsfSB

GTjsfSB(7@34)

GTjsfSB(7@34)LR

Then add the year that you moved into that house....

GTjsfSB(7@34)LR-1995

GTjsfSB(7@34)LR-1995/2043

Voila, you have a password that is easy to remember but will take ages to crack....

Liar, I tried to login using the password above , it failed

#### Scooby_Doo

##### Executive Member
Better still, make up a formula and use said formula on each website or location that you need a password.

This will ensure that the password is unique in its application as well.

#### LazyLion

##### King of de Jungle
Easier solution, make up a sentence that's easy to remember

ie: SpotWasFredsDogBobbinWasSallysDog

3 duodecillion years to crack that

You just made it longer... not more complex.

Good luck with that!

#### atomcrusher

##### Expert Member
I wonder what PW JuJu Malema uses? Probably 12345 .... no, wait, maybe not. Can he count that high?

#### Ancalagon

##### Honorary Master
Something that I've never understood is why passwords require numbers.

That is to say, a password cracker will be unaware that my password includes numbers. So, it cannot assume that my password contains letters only, and must also check possibilities that include numbers, even if my password contains no numbers. The only way to be sure that my password includes no numbers is to crack it!

Yes, if you are doing a brute force attack, then it matters, but then it only does because the password is shorter without a number (in most cases). If you simply substitute a letter for a number, then it makes no difference to a brute force password cracker.

If the password cracker is using a dictionary attack (ie a pre generated list of common passwords), then that dictionary attack will usually include common variants of your password. So, it will have password1 as well as password, etc etc. So your password gets cracked anyway.

I think the two best guides for password security are 1) using longer passwords, 2) avoiding common dictionary words or phrases.

#### Other Pineapple Smurf

##### Honorary Master
My 2 favourite passwords are #4 & #7 on the list ....

#### grim

##### Expert Member
You just made it longer... not more complex.

A password doesn't have to be complex to be secure, a long passphrase is easier to remember than a shorter complex password and is probably more secure than a complex password as the chances of the user writing it down is decreased as it's easy to remember for one.

#### Vis1/0N

##### Expert Member
Facebook, Google, Yahoo, Twitter and LinkedIn... mostly throwaway sites and I don't use strong passwords as I save those for the places that matter. Otherwise it will promote a weakness if those sites (Fb,Y!,#) get compromised.

#### Allin

##### Expert Member
Awesome! My Qwerty123456 is rated as very strong! 96% nogal - never scored as high in any test ever before!

And it is easy to remember!

#### Hamish McPanji

##### Honorary Master
Something that I've never understood is why passwords require numbers.

That is to say, a password cracker will be unaware that my password includes numbers. So, it cannot assume that my password contains letters only, and must also check possibilities that include numbers, even if my password contains no numbers. The only way to be sure that my password includes no numbers is to crack it!

Yes, if you are doing a brute force attack, then it matters, but then it only does because the password is shorter without a number (in most cases). If you simply substitute a letter for a number, then it makes no difference to a brute force password cracker.

If the password cracker is using a dictionary attack (ie a pre generated list of common passwords), then that dictionary attack will usually include common variants of your password. So, it will have password1 as well as password, etc etc. So your password gets cracked anyway.

I think the two best guides for password security are 1) using longer passwords, 2) avoiding common dictionary words or phrases.

The alphabet has 26 characters
Add 10 numbers to that (0 to 9)
Add special characters, and you have a password with enough length that is essentially unbreakable by brute force (takes too long)

By adding the 10 numbers you are adding 10 new characters that need to be tested for, keeping in mind that each single character added increases the time taken to crack exponentially and not linearly.

#### Ancalagon

##### Honorary Master
The alphabet has 26 characters
Add 10 numbers to that (0 to 9)
Add special characters, and you have a password with enough length that is essentially unbreakable by brute force (takes too long)

By adding the 10 numbers you are adding 10 new characters that need to be tested for, keeping in mind that each single character added increases the time taken to crack exponentially and not linearly.

You're not getting me though. How does the password cracking algorithm KNOW that I am NOT using numbers? It must assume that I am, in order to crack my passwords.

Both contain letters, while only the second also contains numbers. My point is, if I am writing a password cracking algorithm, my algorithm must also try numbers, since it does not yet know if the password includes letters only or letters and numbers.

#### TehStranger

##### Executive Member

Come at me brohackers.

#### Hamish McPanji

##### Honorary Master
You're not getting me though. How does the password cracking algorithm KNOW that I am NOT using numbers? It must assume that I am, in order to crack my passwords.

Both contain letters, while only the second also contains numbers. My point is, if I am writing a password cracking algorithm, my algorithm must also try numbers, since it does not yet know if the password includes letters only or letters and numbers.

Typically, especially when cracking (assume offline and cracking for multiple passwords) you will use dictionary + variants , and brute force

For brute force, you will do one set which is just numbers
Another with just common letters / all letters
Another with all letters + numbers
And finally all letters + numbers + symbols

If you use your birth date as password, you will get cracked quickly
If you use letters, it will take longer
If you use a combination, it will take even longer

In the days of windows nt, it was wonderful as if the password length was less than 8 characters it was bloody easy to crack on my '486

Linux /etc/passwd files were not so tough either, but as you mentioned password length is a huge factor. But by running 3-4 brute forces running at the same time on different servers with restricted character sets, the lack of numbers/symbols made a substantial difference in cracking time