Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
2017 Password Fails

Throughout 2017 I kept a note of all the passwords encountered across 71 onsite penetration tests I was engaged on or peer-reviewed.  From all the passwords, two were extremely memorable:

!IAmAdmin! was probably the best worst password encountered for the Administrator user of a windows domain.

P4ssw0rd! is probably the MOST common password used for initial passwords, with Letmein coming a close second. Yet I encountered the password repeatedly throughout a number of engagements during 2017.

Interestingly, from the pool of passwords gained from the engagements throughout 2017, only 21 new passwords were added to my password list out of more than 17,000 passwords cracked. That means 16,971 passwords used were already on my password list. Makes you think, doesn't it?

Making a better passwords

The National Cyber Security Centre advice to use three random words as a passphrase makes great sense, separating the words with special characters helps make a long, hard to break a memorable password. But, while I do not agree with the NCSC's stance on not needing to change the password, I do believe that you would only need to change the password every six months or so.

Top 25 List

The following list is the top 25 lines from my active password list that provide me with the most success on engagements:

1 - Abc123456!

2 - password

3 - P4ssw0rd!

4 - 12345678

5 - Qwerty!

6 - A123456789!

7 - Letmein1!

8 - letmein

9 - 1234567

10 - football

11 - iloveyou

12 - admin

13 - welcome

14 - starwars

15 - 123123123

16 - January2017!

17 - Sept17!!

18 - qazwsx

19 - trustno1

20 - MyPassword1!

21 - LiverpoolFC4thewin!

22 - 1HeartYou!

23 - FuckOff!2017

24 - GoAway!1

25 - Stupid11

Check out some of our other blog articles to find out how you can set up a super secure password.

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter