Most popular passwords still terrible

About The Author

CNET Editor

Michelle Starr is the tiger force at the core of all things. She also writes about cool stuff and apps as CNET Australia's Crave editor. But mostly the tiger force thing.

Using data from a keylogging attack that compromised 2 million email and social networking accounts, SpiderLabs has revealed that the top 10 most popular passwords are also the most stupid.

(Lock image by Tomascastelazo, CC BY-SA 3.0)

Pony is a botnet controller that's been doing the rounds for a little while now. It uses a keylogger malware to collect passwords, which it then sends to a server, traced to the Netherlands by Trustwave's SpiderLabs, a team of "ethical hackers" dedicated to improving web security.

Looking at the data collected by Pony version 1.9, SpiderLabs discovered that just under 2 million accounts had been compromised, most of which were for websites, including social networks. Most of the passwords were from Facebook (318,121), followed by Google (70,532), Yahoo (59,549) and Twitter (21,708).

And, depressingly, the 10 most popular passwords were the ones system administrators cringe at.

  1. 123456 (15,820 instances)

  2. 123456789 (4875 instances)

  3. 1234 (3135 instances)

  4. password (2212 instances)

  5. 12345 (2094 instances)

  6. 12345678 (2045 instances)

  7. admin (1991 instances)

  8. 123 (1453 instances)

  9. 1 (1224 instances)

  10. 1234567 (1170 instances)

  11. 111111 (1046 instances)

To put that in perspective, the top 10 passwords, SpiderLabs said, make up around 2.4 per cent of the total password count. That may not seem like much — but it's significantly higher than the 0.9 per cent the group calculated from 2006, especially when you consider that there are vastly more web services, and therefore passwords required, than there were seven years ago.

Now, because Pony uses a keylogger to attack, there's not much a stronger password could achieve; a keylogger, as the name suggests, logs the user's keystrokes. However, a strong password can offer better protection against the more commonly used brute-force attack, which guesses at passwords until it gets the right combination.

To protect against keylogger attacks, there are several steps you can take. Firstly, use a good antivirus program, and update it regularly to make sure it supports all the newest malware and virus definitions. Secondly, wherever possible, use two-factor authentication. This usually takes the form of a code text messaged to your phone, and it's a different code every time you log in. Without that code, hackers will have a significantly harder time getting access to your account.

You can read the rest of SpiderLabs' report on its website, and find some tips for creating a strong password here.

Add Your Comment 19

Post comment as

PhartatM posted a comment   

Are these keyloggers browser based, or OS dependant? Everyone keeps saying to use virus protection software, I use Linux(for open-source dev) and FreeBSD(for what I hope will be a marketable device), do I need to worry about this, I know what a root kit is, it that seems different to me than a virus or a keyloggers, though both functions can be performed by rootkits...Any advice for *nix based system users? Or is the number of said users so limited that most of these attacks are designed for use against Windows only?


GloriaR1 posted a comment   

use a card file for business cards, keep them in alphabetical order and as long as the box gets put in a safe place, locked desk drawer, when you are not there, all is good, and none of them get forgotten, then you can use complex combinations of letters, numbers, and symbols for your passwords


TimW3 posted a reply   
United Kingdom


AKB posted a comment   

12345 (2094 instances) That sounds like the combination to an idiot's luggage!


JayG posted a reply   

Nope, Most common suitcase combination is "000."


WadeM2 posted a comment   

To keep track of all my passwords I use a spreadsheet that isn't password protected LOL. But alas if someone did hack my life they will be happy to receive the same denials of credit that I get and have the same access to NO MONEY in my bank account that I have and be immersed in a dark, alien world of CHRISTIAN EVANGELISM. Buahahah.


DanielB6 posted a comment   

HA! I have a password that would make it into the #9 spot and that is from just me and the 1203 sites I use it on.


DavidB22 posted a comment   

SpiderLabs has revealed that the top 10 most popular passwords are also the most stupid. Are yours among them?"
If that many people are using them,
do you think that many potential readers like to be referred to as Stupid?


Chandler posted a reply   

Might want to re-read your comment... to me, "top 10 most popular passwords are also the most stupid" reads that the passwords themselves are stupid, not the users who use them...

Besides, let's be honest here - if you're using those passwords for anything remotely important, then you are heading into the realm of stupidity...

Sponsored Links

Recently Viewed Products