Year end review: Some of the worst passwords of 2013.

Garikai Dzoma Avatar

For the first time in 2013, we now know for a fact that a lot of governments including the self-righteous ones, spy on innocent users under the guise of national security. (Of course the Zimbabwean government does not spy on its citizens; why would you even think that!) Now, all those who were surprised please raise your hands. No doubt the naive amongst you are still surprised but with the cat out of the bag it is very surprising some people are still not security conscious. The security firm, Trustwave, released a top ten list of some of the worst passwords of 2013 and it makes for sad reading.

Source data.

The firm used data obtained from the Moar Pony bot net. The bot managed to steal close to 2 million usernames and passwords: About 1.6 million were for popular websites such as Facebook ( 318 121 passwords), Gmail (54 437), Yahoo (59 549) and Twitter (21 708). The rest were from other email accounts, remote desktop sessions, FTP accounts and secure shell connections.

Top ten worst passwords.

So here are some of the worst passwords in order of popularity:

  1. 123456
  2. 123456789
  3. 1234
  4. password
  5. 12345
  6. 12345678
  7. admin
  8. 123
  9. 1
  10. 1234567
  11. 111111

It would seem that some people are just asking to be hacked and spied on.Sure a password is not going to stop the NSA but you should at least put up a protest. I am sure that a lot of Zimbabwean’s passwords are just as bad if not worse. Don’t despair if your password did not make on the list there are still a consolation prizes to be won below.

Here is a pie chart showing overall password strengths for all the passwords

Overall Password strength

Password complexity.

Trustwave also analysed all the passwords to try and gauge their complexity. The strongest passwords are those that use all the four character types ( upper case, lower-case, numbers and special characters) e.g. Zx0w2?#q whilst the weak passwords use only one character type e.g. password. Also the longer the password the stronger it is. Below is a graph that shows the results.

Password strength

It seems a lot of people use one character type passwords of a length that is between 6-9 characters followed by those who use the same number of characters for passwords with a length between 10-13 characters. Very few people have passwords which use all four character types. Sometimes this is not the user’s fault: some systems prevent people from using special characters in their passwords for some reason even if the service they are offering could use a strong password. For example my two bank accounts( I will spare them the shame) will not allow me to use special characters when choosing my on-line banking password.

I sure hope more people will take heed in the coming year and start to use at least 3 character types when choosing their password. Unfortunately the report does not reveal how many people used the same password across services or how many idiots have their password written on a sticker that is conveniently near their computer.

Before you start commenting please change your password now!!


  1. Muti


  2. chakuti


  3. MuZimbo

    pass123, mywife1984, 0987654321

  4. OJ-pro


  5. beatnyama

    Leaving a sticker with a password under your desk is no longer the problem these days. Because even if your colleagues find that password, the worst they can do is prank you and send threatening emails to the boss and maybe a fake break up email to the girlfriend. All this is harmless.

    The problem arises when people online with serious malicious intent get access to that password one way or another. This can even be made worse where people use the same password for the different services they use for example, FB, Gmail, Twitter, Yahoo etc. From the small survey i did, most people are just too lazy to remember different passwords and therefore use just one. This makes live easier for hackers as getting one password means they get access to your whole online life.

    I have seen time and time again people struggling to remember even simple passwords for their email. Tell them to put funny characters in their passwords and you are just begging them to forget their passwords.

  6. muzukuru


  7. Dzungu

    I once went to China for a 4 week training. A week after my return, google mail was still alerting me that someone in China was logged onto my account. The password was a complex 8 character password! These governments!

  8. Anonymous

    how did they get access to those password values, online privacy is a myth