Back to Blog
The Top 15 Worst Passwords
Passwords. What makes them bad?
It is not just the words in a password. It is how they are used, what context they are used in, if they have been exposed online, and other factors.
- admin (or admin with only a few extra characters like admin1, admin!, adminX)
- password2020 (and iterations of it, such as 2021Password)
- password (and iterations of it, such as password1, password123, p4ssword)
- p4ssw0rd (or other common leetspeak variations)
- 12345 (and iterations of it, such as 123456, 1234567, 12345678, 123456789)
- 654321 (reversed versions of common passwords)
- qwerty (and iterations of it, such as qwerty1, qwerty!, qwerty123, etc.)
- 1111111 (and others like it with sequential characters, such as 222222, 3333333, 4444444, 5555555, etc.)
- 123123 (and iterations of it, such as 12341234, 1234512345, 321321, etc.)
- abc123 (and iterations of it, such as abcd123, abcd1234, 321cba, etc.)
- asdfgh (and iterations of it, such as asdfghj, asdfgh!, etc.)
- Website name (passwords that contains the site name. ie: www.acmecompany.com and the password is acmecompany)
- Any common word in the dictionary less than 8 characters
- Lastly, compromised passwords that have been exposed along with your username!
A strong password isn’t necessarily a safe password. Although many passwords meet typical algorithmic strength requirements, they may still be unsafe if they exist in password cracking dictionaries used by cybercriminals.
You can see if a sample password is generally safe, weak, or compromised here.
Don’t let your employees use weak or compromised passwords!
You can enable quick-to-deploy automated password policy enforcement and daily exposed password screening in Active Directory. With fully automated weak password filtering, fuzzy password matching, password similarity blocking, and custom password dictionary filtering; enterprises can easily adopt NIST password requirements and secure employee passwords.
If you want to learn how to block similar passwords and screen your Active Directory accounts daily for compromised passwords, check out this whitepaper.
To see how it can work, review this article in 4SysOps.