I spotted this article in PC World magazine which lists the ten most popular passwords. They are

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)

I would expand this list to include such things as your children's/spouses name, company name and a few other common words I have encountered.

To have a secure password it should be a mix of UPPER and lower case letters and some numbers. To make it REALLY secure use some obscure characters like ^ or # or accented characters such as Ÿ. And make sure it's at least 8 characters or longer. It's easier than you think too. Make one up using numbers for letters for instance, so peter becomes p3t3r or bill becomes b1ll, use a car registration plate (no not your current car) or something else you can remember or at least work out.

The reason for this is simple, that top ten list (and I would add several myself to that to make at least a top twenty) is well know to anyone who fancies trying to guess you password. On top of that password breaking software will try one of two methods:-

1. Dictionary Attack
   Where the software literally has a dictionary of words it throws at your password one by one.
2. Brute Force
   Where the software tries combinations of characters sequentially e.g. it tries a b c etc. then aa ab ac until it reaches it's limits.

Now you'd think that second one would guess ANY password but it wont, because of the time it takes to process. A simple example would be if it just tried the 26 letters of the alphabet, suppose it takes 1 second to try each combination then after the first pass with a 1 letter password it's taken 26 seconds, to do all the two letter combinations it takes 26 x 26 seconds, or 676 seconds, to do all the three letter combinations it takes another 17,576 seconds and so on.

Obviously computers can process far faster than this, but because the time adds up logarithmically this kind of attack limits itself to common letters, numbers and punctuation, and restricts the length of password it can try.

I must admit this is another reason why I think microsoft DON'T GET SECURTIY as when I created a hotmail account a while ago it wouldn't let me use punctuation in my password! so as far as I was concerned the password I created was insecure.

Now you will be asking, huh, well who wants to hack ME, the fact is they don't want to hack YOU, they just pick off the low hanging fruit in the hope it might be worth it. Have you ever sent something private by hotmail? or simply something you wouldn't want making public?

One company I worked at one of the directors thought he was so clever because when I needed his password he said "it's secret" I thought he meant he wouldn't tell me, so began to explain I HAD to know it or I couldn't log in to his computer to fix it, and he stopped me and said "no, it's 'secret' that's my password" the companies financial information, all highly confidential, was secured by an eminently guessable password! Another company used password 5 on the above list for EVERYTHING, again company confidential information was secured with something easily guessable, AND everyone in the office, some 30+ people, knew what it was!

I did point out how insecure this was and I hope they have since taken steps to fix the problem but considering how little notice they seemed to take I doubt it.