Last fall, hackers leaked 10 million email passwords on a Russian Bitcoin forum. Bogdan Calin, the chief technology officer for Web security firm Acunetix, sifted through the data and found almost 50,000 Gmail accounts with the same password: 123456. In fact, strings of consecutive numbers comprised half of the top 10 most common codes.
While disturbing, stolen passwords may not be the best source of information on personal security habits. “When you’re collecting hacked passwords, you’re getting passwords that are hackable,” says Mark Burnett, an independent security expert. “Often times the data come from places that don’t have strong policies, or sites that no one really cares about protecting.” That may be why data-dumps like this one include so many obvious duds. Burnett’s own collection of 30 to 40 million leaked accounts contains password at least 150,000 times.
Other leaks suggest that more stringent security policies may not yield more sophistication. A 2009 hack revealed a long list of passwords with at least one number and one capital letter. Password1 topped the list, with P@ssw0rd and Passw0rd not far behind.
To improve account security, Burnett says to use at least 10 characters and avoid common phrases. But even that may not offer much protection. “The capability of cracking passwords has gotten so great. We have things to make them stronger, like two-factor authentication, but on their own, passwords are kind of at the end of their effectiveness.” That means while the worst passwords are obvious, there’s really not a best one either.