Which passwords NOT to use


If you are a registered Adobe customer, you’d better change your password. As a result of the attack on Adobe, users' passwords were stolen from that company, and then published on the Internet.

If you are a registered Adobe customer, you’d better change your password. As a result of the attack on Adobe, users' passwords were stolen from that company, which were then published on the Internet. Someone even made a crossword puzzle of them . So we have a good opportunity to check which passwords are better NOT to use.

Adobe’s latest slip-up was the leakage of customer data, and the consequences of this will certainly be long-term. Initially, Adobe stated that the incident affected approximately 3 million users. However, it turned out that the compromised database contained approximately 150 million entries; moreover, stored passwords were poorly protected and in many cases could be restored to their original form. As a result, Facebook forced its users, who were among the victims, to change their password if it was the same on the social network.

Using a single password for multiple online services is a serious security issue. Worse still, millions of users make the same mistake when coming up with a new password. So let’s learn from mistakes and remember about the most popular passwords from the Adobe database.

1. „Password”, „qwerty” and „123456”

It is surprising that despite the passage of many years, these very obvious slogans are still at the top of the list of the most popular. In the Adobe database, the password „123456” came first – it was used by more than 2 million people out of the 150 million users whose passwords were leaked from Adobe. The slightly more complicated password „123456789” came second, followed by the word „password”, which was selected by 345,000 users. The „qwerty” key sequence was also popular – in position 6.

2. Company / website name or variations on this

You may think the login „John” and the password „Facebook” are genuine. But they are not. Of course, the name of the website may not be in the dictionaries used by hackers to crack passwords. However, an experienced hacker will certainly add it to his assets (as we saw with Adobe). This rule is used in passwords that ranked 4th, 9th, 15th, and 16th in the Adobe top-100: „adobe123”, „photoshop”, „adobe1”, and „macromedia”.

3. Username = password and other hints

Even if other vendors encrypt stored passwords much better than Adobe did, it is quite likely that a hacker would see extra fields in the database without much effort. We found that they can be quite useful in restoring passwords. These fields are username, email address, password hint, etc. The biggest hit is a password that is exactly the same as your username. Other „smart” ways are also impressive. Some people write their passwords in the password hint box or enter such obvious answers as „1 through 6” or „first and last letters”.

4. The obvious obviousness

Facebook is one of the hackers' favorite tools. Having the victim’s e-mail address and username, you can easily search Facebook for answers to hints for such terms as „dog”, „son’s name”, „birthday”, „work”, „mother’s maiden name”, „favorite band” etc. About a third of all hints related to family members and pets, and an additional 15% of hints quoted the entries directly or almost directly.

5. Simple sequences

It looks like the combinations of letters or numbers are endless. However, people do not take full advantage of this potential and benefit from very strong „inspiration” in the form of the alphabet and keyboard. Passwords like „abc123”, „00000”, „123321”, „asdfgh” or „1q2w3e4r” already exist. If you have a sequence of letters and numbers that are easy to remember, forget about it – it is also convenient for a hacker and is most likely already in the attack password dictionaries.

6. Basic words

According to various studies, between one third and a half of all entries are single words from the dictionary, which usually belong to the group of 10,000 most frequently used words in a given language. Modern computers can remember 10,000 passwords in a matter of seconds and are therefore not completely secure. At the top of Adobe’s list are many terms such as „sunshine”, „monkey”, „shadow”, „princess”, „dragon”, „welcome”, „jesus”, „sex”, „god”.

7. Obvious modifications

To make dictionary attacks more difficult to carry out, most websites require users to create passwords according to certain rules. For example: at least 6 characters, necessarily containing uppercase and lowercase letters, numbers and special characters. As I wrote before, these are methods from the 20th century  and we need to rethink them, but users have already figured out a way around these requirements. Certainly, the first letter will be capitalized, which will be the only one in the entire password, and at the end there will be the most popular numerical modification – that is, adding the number „1”. In the Adobe database, these tricks are mixed up with obvious words, which basically results in bad passwords like „adobe1” or „password1”. The most common characters are the exclamation point and the underscore.

8. Obvious modifications-2 (1337)

Thanks to the movie „Hackers” and other elements of pop culture, a wide audience already knows about the „hacker language” LEET (1337), which is distinguished by the replacement of a few letters into similar-looking numbers or characters and other simple modifications. Creating such replacements is a seemingly good idea, because a password like „H4X0R” or „$ 1NGL3” looks impressive. Unfortunately, they are not more complicated than the usual „hacker” and „single” because there is a special addition to the password cracking application, the so-called a mutation engine that makes any such obvious modifications to each dictionary word.

9. Dynamic sentences

In the modern world, longer passwords are always better because paraphrases are considered more effective protection than passwords. However, there are a few exceptions – very short and extremely predictable phrases. You can find „letmein”, „fuckyou”, and „iloveyou” in Adobe’s top-100. Nothing more nothing less.

10 PESEL etc.

These passwords are definitely more difficult to guess. But hackers will undoubtedly go to great lengths to find these numbers when they see a clue like „my Social Security Number”. When mixed with your username, date of birth and other information available on social networks, such a set of data can unfortunately be used for identity theft and illegal money making.

11. The same passwords in different websites

While this bad practice is not directly related to the attack on Adobe, it is only as popular as using the string „123456”. I mean using the same password for different online services. Why is this not a good idea? If your Adobe password has become known to hackers, they may try to match your e-mail address with that password on all popular sites like Facebook or Gmail and hack not one, but many of your accounts. According to a study by B2B international for Kaspersky Lab, 6% of users use one password for all their accounts, while 33% use only a few passwords. If Adobe’s site was among them, these users are now at risk of breaking into their entire digital life.

Of course, all the above-mentioned mistakes are made for one simple reason – nowadays we use 5-10 online services and it is difficult to remember a unique and complicated password for each of them. Fortunately, there is a simple technical solution to this problem.

Here are our tips:

  • Do not use the same password for multiple sites.
  • Use a long and strong password .
  • Check the strength of your password  using special services.
  • Use a special password manager  to store all your passwords encrypted and don’t waste your time memorizing them. This way you can have a unique, very complex and strong password for each page without the risk of forgetting it.