Why Most People's Passwords Are Dumb

Yes, People Use Absurdly Simple Passwords

When LulzSec hacker group cracked into 37,000 users' accounts at Sony Pictures and Sony Music, they decided to publish their findings and 'out' the passwords they found. Troy Hunt is a software architect who analyzed those hacked Sony accounts, in addition to the scandalous hack of Gawker Media (where 188,000 accounts were also cracked and published online). Here is a summary of Troy Hunt's findings:

People Reuse Their Passwords for Multiple Systems

Why Most People's Passwords Are Dumb
Why Most People's Passwords Are Dumb. Creative / Getty

For the Sony Pictures and Sony Music hacks, a sad trend appeared:  people would reuse their same password for both accounts.  While this habit is convenient for the user, it also means that one account breach translates into multiple account breaches.

If you use the same password and email address for your Gmail, PayPal, online bank account, eBay, and your personal blog, you are inviting hackers to help themselves to your private life.

Most People Choose Plain Text / Number Passwords, With No Special Characters

This is a disturbing trend of poor computer hygiene.  99% of the hacked users at Sony used alphanumeric-only characters for their passwords.  That means, 99% of people's passwords look like this:

  • summer
  • abc123
  • ashley
  • 10423

Alphanumeric-only choices make for poor passwords because they are easily guessed by hacker software programs.  These hacker programs, called "dictionaries" or "brute force tools", quickly recombine common English words and numbers to defeat your password through repetitive guessing.  The simpler your password, the more quickly a dictionary tool can guess it, often within just a few minutes.

Related: see an example hacker dictionary here.

The Most Common Password Is "seinfeld"

Yes, believe it or not, Troy Hunt discovered patterns in the hacked accounts of the 37,000 Sony users.  While most people did use random words, over 60% of the users' passwords were still found in hacker dictionaries, meaning: most people chose passwords that are very easy to crack.

Troy's findings also showed that the most common passwords at Sony included:

  • seinfeld
  • password
  • 123456
  • princess
  • peanut
  • shadow
  • ginger
  • michael
  • sunshine
  • tigger
  • bailey

Again: the trend here is that very few people actually use non-alphanumeric characters  (e.g. !  %  ^ @  #  $ [  + ), which makes their uninspired passwords even easier to crack.


Related: see the top passwords used at Gawker Media, 2010

Most People Use Passwords That Are 6 to 8 Characters Long.

In Troy Hunt's analysis, the bulk of Sony's users have 6-character, 7-character, or 8-character passwords.  The next most-common are 9- and 10-character passwords.  Very few people use 5 or less, and even fewer people use 12 or more.

As you might expect, shorter passwords are easier for hackers to guess. While it's overkill to create a 20-character password for your email, 8 characters or more is highly recommended to discourage most hackers.


People are lazy with their passwords: they don't make the effort to use special characters like (!  %  ^ @  #  $ [  +.   People use uninventive and predictable words like "password" and "purple", and proper nouns like "bailey" or "ashley".  To make it even worse:  most people use the same predictable passwords for their multiple accounts.

All of these patterns make a hacker's job easier.  The simpler your passwords, the more likely you will have your bank account cleaned out.

It is not that difficult to create a complex password that resists hacker dictionary attacks.  Let the hackers break into someone else's stuff... keep your own accounts safe by following a few simple password tips here...