pentesting, pci, red team

The Top 500 Worst Passwords of All Time

November 30th, 2008 by admin in News, Password Info

From the moment people started using passwords, it didn’t take long to realize how many people picked the very same passwords over and over. Even the way people misspell words is consistent. In fact, people are so predictable that most hackers make use of lists of common passwords just like these. To give you some insight into how predictable humans are, the following is a list of the 500 most common passwords. If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people.

There are some interesting passwords on this list that show how people try to be clever, but even human cleverness is predictable. For example, look at these passwords that I found interesting:

ncc1701 The ship number for the Starship Enterprise
thx1138 The name of George Lucas’s first movie, a 1971 remake of an earlier student project
qazwsx Follows a simple pattern when typed on a typical keyboard
666666 Six sixes
7777777 Seven sevens
ou812 The title of a 1988 Van Halen album
8675309 The number mentioned in the 1982 Tommy Tutone song. The song supposedly caused an epidemic of people dialing 867- 5309 and asking for “Jenny”

“…Approximately one out of every nine people uses at least one password on the list shown in Table 9.1! And one out of every 50 people uses one of the top 20 worst passwords..”

Lists the top 500 worst passwords of all time, not considering character case. Don’t blame me for the offensive words; you were the ones who picked these, not me.

NO Top 1-100 Top 101–200 Top 201–300 Top 301–400 Top 401–500
1 123456 porsche firebird prince rosebud
2 password guitar butter beach jaguar
3 12345678 chelsea united amateur great
4 1234 black turtle 7777777 cool
5 pussy diamond steelers muffin cooper
6 12345 nascar tiffany redsox 1313
7 dragon jackson zxcvbn star scorpio
8 qwerty cameron tomcat testing mountain
9 696969 654321 golf shannon madison
10 mustang computer bond007 murphy 987654
11 letmein amanda bear frank brazil
12 baseball wizard tiger hannah lauren
13 master xxxxxxxx doctor dave japan
14 michael money gateway eagle1 naked
15 football phoenix gators 11111 squirt
16 shadow mickey angel mother stars
17 monkey bailey junior nathan apple
18 abc123 knight thx1138 raiders alexis
19 pass iceman porno steve aaaa
20 fuckme tigers badboy forever bonnie
21 6969 purple debbie angela peaches
22 jordan andrea spider viper jasmine
23 harley horny melissa ou812 kevin
24 ranger dakota booger jake matt
25 iwantu aaaaaa 1212 lovers qwertyui
26 jennifer player flyers suckit danielle
27 hunter sunshine fish gregory beaver
28 fuck morgan porn buddy 4321
29 2000 starwars matrix whatever 4128
30 test boomer teens young runner
31 batman cowboys scooby nicholas swimming
32 trustno1 edward jason lucky dolphin
33 thomas charles walter helpme gordon
34 tigger girls cumshot jackie casper
35 robert booboo boston monica stupid
36 access coffee braves midnight shit
37 love xxxxxx yankee college saturn
38 buster bulldog lover baby gemini
39 1234567 ncc1701 barney cunt apples
40 soccer rabbit victor brian august
41 hockey peanut tucker mark 3333
42 killer john princess startrek canada
43 george johnny mercedes sierra blazer
44 sexy gandalf 5150 leather cumming
45 andrew spanky doggie 232323 hunting
46 charlie winter zzzzzz 4444 kitty
47 superman brandy gunner beavis rainbow
48 asshole compaq horney bigcock 112233
49 fuckyou carlos bubba happy arthur
50 dallas tennis 2112 sophie cream
51 jessica james fred ladies calvin
52 panties mike johnson naughty shaved
53 pepper brandon xxxxx giants surfer
54 1111 fender tits booty samson
55 austin anthony member blonde kelly
56 william blowme boobs fucked paul
57 daniel ferrari donald golden mine
58 golfer cookie bigdaddy 0 king
59 summer chicken bronco fire racing
60 heather maverick penis sandra 5555
61 hammer chicago voyager pookie eagle
62 yankees joseph rangers packers hentai
63 joshua diablo birdie einstein newyork
64 maggie sexsex trouble dolphins little
65 biteme hardcore white 0 redwings
66 enter 666666 topgun chevy smith
67 ashley willie bigtits winston sticky
68 thunder welcome bitches warrior cocacola
69 cowboy chris green sammy animal
70 silver panther super slut broncos
71 richard yamaha qazwsx 8675309 private
72 fucker justin magic zxcvbnm skippy
73 orange banana lakers nipples marvin
74 merlin driver rachel power blondes
75 michelle marine slayer victoria enjoy
76 corvette angels scott asdfgh girl
77 bigdog fishing 2222 vagina apollo
78 cheese david asdf toyota parker
79 matthew maddog video travis qwert
80 121212 hooters london hotdog time
81 patrick wilson 7777 paris sydney
82 martin butthead marlboro rock women
83 freedom dennis srinivas xxxx voodoo
84 ginger fucking internet extreme magnum
85 blowjob captain action redskins juice
86 nicole bigdick carter erotic abgrtyu
87 sparky chester jasper dirty 777777
88 yellow smokey monster ford dreams
89 camaro xavier teresa freddy maxwell
90 secret steven jeremy arsenal music
91 dick viking 11111111 access14 rush2112
92 falcon snoopy bill wolf russia
93 taylor blue crystal nipple scorpion
94 111111 eagles peter iloveyou rebecca
95 131313 winner pussies alex tester
96 123123 samantha cock florida mistress
97 bitch house beer eric phantom
98 hello miller rocket legend billy
99 scooter flower theman movie 6666
100 please jack oliver success albert

Source: Perfect Passwords, Mark Burnett 2005

650 Responses to ' The Top 500 Worst Passwords of All Time '

Subscribe to comments with RSS or TrackBack to ' The Top 500 Worst Passwords of All Time '.

  1. Venla said,

    on July 5th, 2012 at 9:41 am

    Fortunately none of mine appeared on there. Of course, most of mine are in Quenya and Sindarin or are the keystrokes needed to type them in Tengwar. The latter creates the most secure passwords I’ve ever seen. Check out to see what I mean. Good luck hacking a complicated encoding system whose original word is in a fictional language barely spoken by a handful of people.

  2. Anton said,

    on July 23rd, 2012 at 6:20 am

    It seems that passwords are cars , women , sex and rock’n’roll 😀

  3. Avinash said,

    on August 2nd, 2012 at 5:51 am

    Password Generation can be very creative 🙂 Can remember the first masterkey passwords for motherboard BIOS and CMOS systems 15 years ago 🙂

    In General you should use a combination of alpha numeric, numeric and special characters combined with upper and lower case sensitivity. Simply take remember a whole sentence and take only the first character of each word.

  4. on August 5th, 2012 at 11:38 am

    Устройство бань, русская баня и баня

  5. Judy said,

    on August 14th, 2012 at 3:20 pm

    Thank you for your service, its a great help keeping the nutters at bay,

  6. SarahM26 said,

    on August 27th, 2012 at 1:14 pm

    I used to use the password pretty. Knowing what I know now about passwords, I will never use something so simple again.

  7. PooButter said,

    on August 27th, 2012 at 2:56 pm

    My pass word used to be zombieslayerpopchicktatoeyes

  8. on September 6th, 2012 at 5:54 am

    […] Kermit-5566, etc.) for a computer doing the guessing, it really doesn’t matter at all. The most used password roots are widely known and generally consist of real words, sequential numbers, and proper names.Chances […]

  9. GenNti Meta said,

    on January 22nd, 2013 at 3:39 pm


  10. said,

    on February 13th, 2013 at 12:06 pm

    Omg I want to be an expert hacker can anybody give me lessons. I need a teacher

  11. on February 28th, 2013 at 9:13 am

    […] Don’t set up weak passwords: Sounds like a given in today’s online world, but many users still use weak passwords, such as their pet’s name … or the name of their favorite sports team … or the ever popular “qwerty.” (For a list of the of the top 500 worst passwords of all time, go here.) […]

  12. jean said,

    on August 31st, 2014 at 8:57 pm

    Does anyone know of an app that will tell you as many different spelling variables for a certain password of your choice? Example… is my is to high for you\ismyiq2high4you\ismyiqtoohi4you.. and so on.

  13. Dylan said,

    on October 21st, 2014 at 11:58 am

    my primary school used #19 as the password on the pupils accounts

  14. DEEPTHY said,

    on November 25th, 2014 at 5:09 am

    I WANT TO KNOW. The Key Number should be eight digit long and it
    should contain at least one upper case letter (A,B,C,…), one lower case letter
    (a,b,c,…), one digit (0,1,2,3,…) and one special character (! @ # $ % ^ * ( ) –
    + { } ; : ).

  15. DEEPTHY said,

    on November 25th, 2014 at 5:11 am

    IN HIGH COURT ASSISTAT . ENTER THIS ……….The Key Number should be eight digit long and it
    should contain at least one upper case letter (A,B,C,…), one lower case letter
    (a,b,c,…), one digit (0,1,2,3,…) and one special character (! @ # $ % ^ * ( ) –
    + { } ; : ). The candidate is advised to note down the Key Number and to

  16. Password said,

    on January 22nd, 2015 at 12:35 pm

    Since 1977, I have been using composite passwords. I started when an administrator at The Ohio University handed out these really difficult to remember passwords. People would write them down because no one could easily remember them. IMHO, difficult to remember passwords for an individual is almost as bad as the Top 500, not as bad, but close.

    So what might be a good password? Well, not to give away my methodology, one I used to use was:

    example might be:


    This works as the site name is WhatsMyPassword and the IP of the server. This way you need only remember taking the first, third word from the serer name and then the IP address (assuming it doesn’t change). Of course, using the Dataviz Password Plus program can also help.

    Anyway, just a positive spin for anyone looking for a possible good password technique.

  17. on May 6th, 2015 at 1:06 am

    […] Top 500 Worst Passwords of All Time  […]

  18. MAu said,

    on June 26th, 2015 at 4:34 am

    RE “How does “abgrtyu” come about ?” Look at your keyboard and follow this reasoning: go from A to B (first two letters of alphabet), at B go up a left diagonal (GR) and then right (TYU); that gives abgrtyu. I used capital letters just like it shows on keyboards.

  19. Anonymous said,

    on July 14th, 2015 at 1:33 pm

    Lol the first 100 is all the passwords for the game “Amateur Hacker Simulator”

  20. Anonymous said,

    on July 14th, 2015 at 1:34 pm

    and some of them aren’t appropriate at all -_-

  21. on July 25th, 2015 at 4:07 am

    […] messages on Gmail, to buying things on Amazon. It used to be the case that as long as you avoided easily guessable passwords you’d be fine – unfortunately those days are long […]

  22. on July 25th, 2015 at 4:10 am

    Gostei muito desde site ! Mas quero aprender mais

  23. on August 25th, 2015 at 1:00 am

    […] book Perfect Password: Selection, Protection, Authentication. The same table is reproduced here, […]

  24. suraj said,

    on September 16th, 2015 at 5:12 am

    sir i want to know
    how to crack wifi passward using android phone

  25. neelima begum said,

    on October 4th, 2015 at 2:24 pm

    WHAT passwords do you guys suggest that we use for our password because I’m finding it hard to think of a password because everyone that I type says its to predictable soo please help me

  26. on October 13th, 2015 at 7:01 am

    […] Frequently used passwords […]

  27. on October 19th, 2015 at 10:37 am

    gostaria muito que vc me ajudasse a descobrir a senha do face do meu marido,pois pequei uma conversa dele num face que tenho a senha e através desse face descobri que ele tem outro oque eu quero que bescubra pra mim é esse que vou te passar o e-mail ( ) o nome do usuario é ( Acelmo Rodrigues)por favor me ajude é muito importante pra mim obg aguardo resposta.

  28. on October 22nd, 2015 at 4:40 am

    […] de bases de dados de vazamento de senhas. Achou grande demais? Tem uma lista menor, com as 500 senhas mais comuns, de uma só página. Vale dar uma […]

  29. on November 16th, 2015 at 11:26 am

    […] are easier for a hacker to guess, whilst on the subject of short passwords please see the table here, If you have any of the ones listed then you should change it now. Complex high entropy passwords […]

  30. on November 23rd, 2015 at 10:20 am

    […] you can find any variant of it in the top 500 worst passwords list, then you have a […]

  31. on December 6th, 2015 at 7:48 am

    hackearam meu instagram, iago_costa06 foi esse usuario ai

  32. Letícia said,

    on December 27th, 2015 at 6:20 am

    My passwords are not there. Hehehe 😝

  33. sagar said,

    on January 9th, 2016 at 12:29 am

    passwors are so easy to guess

  34. on January 30th, 2016 at 2:14 am

    […] tasso di successo ha anche l’uso di un dizionario composto dalle password più usate, come questo – suggerisco di buttarci l’occhio, per farsi un’idea di come spesso sia […]

  35. epicminecraft99 said,

    on February 19th, 2016 at 5:07 pm

    LAWL my password is not in here

  36. sunil hemane said,

    on March 28th, 2016 at 9:55 am

    A great fool side

  37. @heyidiot said,

    on April 22nd, 2016 at 12:37 pm

    What surprises me is “thx1138” is in there, but “reindeerflotilla” is not?

  38. tom said,

    on April 28th, 2016 at 1:28 am

    360 no scope mlg

  39. Nurfle said,

    on June 28th, 2016 at 12:23 pm

    Password entropy lesson

  40. @BeachWebDesign said,

    on July 3rd, 2016 at 5:53 pm

    Thanks for the page. I’m building a password generator called Password Gold, and having these references are great.

  41. GELSON said,

    on August 25th, 2016 at 2:00 pm

    hello I would like to discover the password for a gmail account as I do ?? need to find the password for that urgent care is a matter of urgency, have important files and projects in this account ( …….. I can not spend the email this person, most want to find out the password. . urgent thank you !!!

  42. zaben said,

    on August 29th, 2016 at 3:43 pm

    Hello there,,,
    I wish somebody help me to open my WD external drive ,

    I have a ‘My Passport’ external hard drive unit. I have never setup a password for the unit and have always just plugged it into the computer and found my files via my computer.

    I may have plugged the unit into the computer as it was still loading and I can no longer access my files. The unit is asking for a password?

    Can you please help
    My WD external drive Suddenly it is locked, I never put or used any password, and all over the sudden when I connect it to my pc it start asking for a password. sudden put a password on the drive.
    Please do something I need to open my data witch it is very important to me and my family.
    P/n: wdbabm750abk-00
    s/n: wxb1a3065950
    My email :

  43. Brendan said,

    on September 6th, 2016 at 7:25 pm

    Using Inside jokes or memories could make some really strong passwords. I have a password based off of something I wrote with fridge magnets, and I highly doubt anyone would guess it.

  44. Rich said,

    on April 3rd, 2017 at 4:50 pm

    What I hate are the sites that give you the option of answering a few simple questions if you forgot your password. Typically you are not able to make up the question – only the answer. Examples – what was your maternal grandmother’s first name? What was the make of your first car? What was you first pet’s name? In what city did you meet your spouse.

  45. jimmy said,

    on April 11th, 2017 at 11:38 am


  46. Paul said,

    on May 13th, 2017 at 9:35 am

    Great article!

    I’d be interested to know how the data was collected though…

    Anyway a few comments in response to the comments above:-

    Rich – Where is it written that you have to answer security questions truthfully? As long as YOU know what to answer! Simple, but (now obvious)) trick is to answer “Mother’s Maiden Name” (Very Common) with your Paternal Grandmother’s Maiden Name. I’m sure you can figure out others!

    Dylan – One school district I worked in had independent networks in each school (few years ago, before cheap high-speed WAN connections were available). In order to make it easy for the (travelling) techs, all the networks had the same root / main / domain admin password. They took security very seriously and followed the golden rule. They made sure that their passwords remained “aSecret”!!!

    Many of you – This is an article about making things secure. Do you honestly think that asking for advice on how to crack passwords is going to be productive?

    I have tried many, many systems over the years. Famous quotes (2b0n2b), lines from songs or even Monty Python scripts! (tbafw – see if you can figure where that one came from, and yes, it is waaaay too short!) Now, I use a password manager.

    Ultimately, however, it is systems managers who don’t understand how it all works and setting up crazy password policies that are mostly responsible for insecure systems (IMHO) I appreciate this article is about choosing a password, but I have real issues with the way many administrators set up the password policies. Like many things, what seems to make it more secure, actually has the opposite effect!

    For example, the forced password change really pisses me off. Why do it?? Yes, I know “in case someone has discovered your password”, but it actually gives you a false sense of security (while irritating your users). Why? Well, to begin with, the users you are targeting are the ones that probably either don’t understand the risks, or don’t give a rat’s-ass. Either way, if you combine it with the common “8 characters, 1 upper case and 1 non-alphabetic” a large number will use a word and put the capital at the start and a number at the end. For example, “Password1”. So, let’s assume the password is compromised. User is forced by the password policy to change it. Hacker comes along and the password no longer works! Oh no! Foiled! Really, what’s the likelihood that “Password2” might work?

    Next on my hit-list is insisting on particular types of characters actually reduces the number of potential passwords, which in turn leads to lower security. Combined with a bit of psychology and it gets worse! (Like my assertion that most people will put the digit at the end. That essentially takes an 8 character password and reduces it to 10 times a 7-character. So, instead of 218340105584896 possible passwords, we only have 3521614606208. One article I saw rated the former as taking a year to crack and the latter 10 weeks!

    Next comes the account lockout. 3 attempts and you are locked. 3??? really? Many, many people I have had this discussion with have suggested that 3 is far too high. I say “poppycock”! NIST suggests setting it as high as 50 and I agree! “Heracy” I hear you cry! But, stop and thing for a minute. If a password can e guessed in 50 attempts, it really isn’t that secure in the first place. The statistical difference between 3 and 50, in a password space in the Billions or even Trillions is insignificant. BUT if a user knows they have lots of attempts, they are LESS likely to use the same password for everything and MORE likely to use a complex password – in other words, the very things we are trying to encourage!

    Finally, think about what you are securing. At one company I worked at, the password policy that unlocked the “family jewels” so to speak (gained access to the network and, due to Single Sign-On, therefore Payroll, HR, Proprietary knowledge etc. etc.) was the common 8-character, 1 Upper Case, 1 Non alphabetic.. The Blog site, meanwhile, had 9-character, 1 Upper. 1 Numeric and 1 non alpha-numeric! If you run a public site. How important is security? It’s a trade off with usability and nobody is going to use a site that is unusable! Password Policies are a modern-day disease. It’s an attempt at providing a technological solution to what is, essentially, a social problem.

    If I haven’t convinced you yet, let me ask you this…

    When was the last time you visited the ATM or you Bank’s online banking website and were told to change your PIN / Password? Have you EVER had a PIN refused because it had been used before? Or wasn’t “complex” enough?

    No, me neither! Now ask yourself why? Maybe because we all know it’s our money and needs to be secure. We take the responsibility. THAT’S what needs to happen! Now, actually making it happen is a different matter.

  47. Paul said,

    on May 13th, 2017 at 9:40 am

    Having seen my comment (rant!) in full (As opposed to in this tiny edit box) I wish to apologize for two things:
    1. Typos. Oops!
    2. The length – I got on a roll!

  48. Andrew said,

    on June 27th, 2017 at 7:42 pm

    My password used to be “fuckoff” but I got hacked. I don’t know how they guessed. I changed my password now. It is now “123456”. No-one will guess it now.

  49. George said,

    on October 28th, 2017 at 4:10 am

    Ich schreibe gerade посмотреть, есть ли какой-нибудь nini hii inasema โชคดี vay’ nuqDaq ghoS pagh pa’ jang Suq chaq Daghaj sien jou op die plek waar die leeus later na drankies rondloop

  50. KandiceSmall said,

    on March 3rd, 2018 at 12:51 am

    I have checked your website and i have found some duplicate content, that’s why you don’t rank high
    in google, but there is a tool that can help you to create 100% unique content, search for;
    Boorfe’s tips unlimited content

Leave a reply