Someone typing on a laptop| Feautured image for g

Whether we like it or not, passwords are still a thing of the present and are likely to remain around as, at least, the lowest level of security in preventing unauthorised access to digital accounts and platforms. It seems like every year, websites on the Internet ask us to invent increasingly complex passwords – the days of short, simple letter and number combinations are well and truly gone, and we are now required to create passwords of a certain minimum length, usually including special non-alphanumeric characters. The best security practices are even asking us to not only use strong passwords, but also never to re-use them. Managing our digital keys is becoming harder every year, and the inherent laziness of the human mind has led to bad passwords becoming common. Let’s have a look at what goes into good and bad passwords as well as some examples of the most common bad passwords, continue reading to learn more.


What are Bad Passwords?

Bad passwords are passwords that are easy to guess or crack. Some bad passwords are so common that they make it to lists of top bad passwords. Here are a few examples of bad ideas that go into creating bad passwords:


  1. Including your name in your password your name is one of the most public pieces of information about you. These days, your name can be found easily on social media or by going through your paper mail. Professional and business e-mail will often include your name as a part of the address. If your name or the name of anyone related or connected to you is a part of your password, it can probably be found out quite easily by anyone willing to spend a bit more time looking into your personal or professional life. If a piece of public information about you is a part of your password, then that part of your password is also public.
  2. Including any other personal information as a part of your password – this may include things such as birthdates and addresses of you or your relatives, vehicle registration numbers, makes and models of the cars you own or have owned, names of pets and anything about you that can be found out by anyone persistent enough. Strangers who find you on social media will have a pretty good chance of guessing your password if it’s the name of your cat or the model of your motorbike.
  3. Using short passwords – short passwords are susceptible to a method of attack known as “brute force”. A brute force attack uses persistent, ongoing trial and error attempts at guessing the login information by going through as many commonly used passwords and combinations until it is guessed correctly. Shorter passwords are easier to guess because of their lower complexity. The longer a password is, the more difficult it will be to guess by using brute force.
  4. Including character combinations in common order – A phrase like “qwerty” may seem like a random combination of letters, but it is universally present on most modern computer keyboard layouts. Hackers understand that users who are complacent about their password security use character strings like “qwerty” or “123456” and try those first, in hopes of getting lucky. In fact, “123456” and “qwerty” were the two most used passwords in 2019.
  5. Using English language words – using common words makes your passwords vulnerable to a form of brute force attack known as a “dictionary attack”. In a dictionary attack, the hacker attempts to guess your password by using a very large set of words to generate potential passwords until they succeed. Simple, common English-language words like “password”, “lovely”, “princess” or “dragon”, were among the top 25 worst passwords commonly used in 2019. Replacing letters with similar looking numbers (for example “p4ssw0rd” instead of “password”) is not an effective counterstrategy either. Hackers are aware of such methods and include these and even more complex kinds of variations in their dictionary attacks.
  6. Re-using your passwords – Even if you have a very strong password but use it everywhere, you may be putting yourself at risk. Your strong universal password is only as secure as the weakest-security website you have used it on. Let’s say you’ve used your extra-strong password on an online store to buy something. If, for example, the store owner neglected to encrypt your password and stores it in plain text instead, all it takes is for someone to breach that online store’s security, obtain your password, and they automatically gain access to all of your accounts that use it. If you had used it only for that one online store, it would not be such a big deal, but if you used for all your accounts everywhere, your security is now compromised. Think about the many recent data breaches you may have heard about, that have exposed private information of individuals and have even spurred the creation of the Notifiable Data Breach Scheme in Australia.
  7. Using all CAPS or all-lowercase letters – writing your password all in the same case reduces its complexity, making it easier to guess or crack.
  8. Making memos or notes of your passwords – You may be tempted to note down your password, especially if it is exceptionally strong and hard to memorise, but notes and memos can be lost, or stolen. This is especially risky in a work setting; do you always know who has access to your office space after hours?
  9. Sharing your passwords with others – Once you have shared your password, it is no longer under your explicit control. Even if you have shared it with someone whom you trust, there is no longer anything stopping them from sharing it further or being negligent about storing it securely.


Top Bad Passwords

Every year since 2011, SplashData has been publishing a list of top bad passwords based on passwords leaked in data breaches that year. Last year, in 2019, the top 25 bad passwords were (in descending order from the most commonly used):


  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. Iloveyou
  9. 111111
  10. 123123
  11. abc123
  12. qwerty123
  13. 1q2w3e4r
  14. admin
  15. qwertyuiop
  16. 654321
  17. 555555
  18. lovely
  19. 7777777
  20. welcome
  21. 888888
  22. princess
  23. dragon
  24. password1
  25. 123qwe

If your password(s) are one the list above, you are vulnerable. Lists such as this one, are one of the first go-to places for even the amateur password crackers.


What Makes a Good Password?

Between good and bad passwords, what is the best practice? There are several methodologies available, but a few good password hygiene practices can go a long way to improving your password security in the short term.


  1. Do not use the same password for multiple accounts.
  2. Do not use common passwords.
  3. Do not use simple passwords.
  4. Create long passwords.
  5. Do not use single words for your password.
  6. Do not use common words or phrases in your passwords.
  7. Consider using a password manager to create and securely store strong, random, and complex passwords for every account you create. With a password manager, you only need to memorise one strong master password for the manager program itself, but make sure to keep your master password safe.

We hope you have found our blog on good and bad passwords useful in learning about bad password habits and why they are problematic for your security. If you would like to ask us any questions about what makes good and bad passwords or find out more about how bad password practices can be a liability in your business or organization, give us a call on (07) 3062 6932 now. Does your business practice good password hygiene? Find out by requesting your FREE IT health check today. Book an obligation-free coffee meeting with our Brisbane MSP team today and let us help you improve the security habits in your business or organization.