Data Monday: Top Three Passwords

by Luke Wroblewski July 16, 2012

When every Web site requires a password, people resort to simple solutions for managing the many login details they need to track. These easy answers are hardly the secure, unique, and complex passwords security and IT teams hope for. As the top 3 passwords in recent account breaches illustrates:

  • The top 3 passwords from 32M leaked RockYou.com accounts were: 123456, 12345, and 123456789. (source)
  • The top 3 passwords from 58k leaked Twitter accounts were: 123456, 123456789, and 102030. (source)
  • The top 3 passwords from 188k leaked Gawker Media accounts were: 123456, password, and 12345678. (source)
  • The top 3 passwords from 40k leaked MySpace accounts were: password1, abc123, and myspace1. (source)
  • The top 3 passwords from 450k leaked Yahoo! accounts were: 123456, password, and welcome. (source)
  • The top 3 passwords from 4.6M leaked LinkedIn accounts were: link, 1234, and work. (source)
  • The top 3 passwords from 20k leaked Billabong accounts were: billabong, 123456, and 12345. (source)
  • 2/3 of people with leaked accounts at both Sony and Gawker reused their passwords on both sites. (source)

What's Wrong With People?

While many are quick to suggest people need to be smarter and work harder on the strength and uniqueness of their passwords, I contend the login/password system is broken and we need new, more humane, ways to address Web account security not the vilification of ordinary people just trying to get through the pain of passwords.