What the Most-Easily Guessed Passwords Reveal About Your Personality

A company called SplashData annually publishes a list of 100 of the most-easily guessed passwords people use. Easily guessed means easily stolen.

Let’s dissect some of these easily guessed passwords and explain what each one reveals about the personality of those who use them.

123456. An easily guessed password like this takes no thought to devise, no mental energy to memorize, and no physical effort to type out. Sounds like it appeals to the lazy—and you’d be right for thinking that. But in fact, it turns out that 123456 is beloved by fearless people. Indeed, you need to be incredibly gutsy to use 123456 as your secret code, considering that it’s 2018’s least-safe password.

password. Those who dislike loneliness and prefer lots of companionship choose this one. In 2018, enough of a crowd gathered around password to make it the Number 2 most-easily guessed login of all.

qwerty. The Number 9 most-easily guessed password for 2018. I skipped Numbers 3 through 8 because they were just 123456 with the addition of the next digit or digits in proper numerical order (in other words, 1234567, 12345678, and so on). Using qwerty as a password indicates a fondness for inventing words out of desperation when playing Scrabble. It also indicates a probability of getting hacked a lot.

Still More Easily Guessed Passwords

iloveyou. Coming in at Number 10, this easily guessed password brands the user as a hopeless romantic. Or, alternatively, as someone who maintains unhealthy (and unsafe) relationships with password-protected websites and apps.

admin. Twelve on this year’s list, admin as a password choice means the user yearns for power. Really, who wields more mighty authority than a system administrator? No one. So people type admin in order to feel powerful. Cybercrooks looking to penetrate your computer type admin because they believe in power-sharing.

welcome. This is the password preferred by people who are the friendly type. Hospitality is their thing. Hackers, of course, appreciate feeling right at home inside someone else's computer. welcome made it to the Number 13 spot on the list of most-easily guessed passwords.

666666. This one marks the beastly serious fan of horror movies. The person who uses 666666 never screams out in terror until the moment his or her computer becomes possessed by devilish criminals. Rank: 14.

abc123. The Jackson 5 and its pre-teen frontman Michael Jackson cause people who choose abc123 as their password to swoon. It also causes hackers to swoon because it makes getting inside a computer easy as abc.

!@#$%^&. Users of this password hope hackers mistake it for symbolic cussing. Not a chance. That’s because !@#$%^& is just 12345678 with the shift key depressed while typing. Easily guessed password rank: 20.

Trends Become Apparent

Millions use the passwords discussed above (along with the others on the list of 100 most-easily guessed passwords) to protect themselves.

And the term protect gets used loosely here.

SplashData came up with this list by sifting through the wreckage of 5 million password-protected accounts hacked during 2018.

If you look at the full list, a few trends become apparent. Many easily guessed passwords consist of a short, simple alphanumeric combination.

Others are the name of a celebrity. (Donald seems to be a top choice just now.)

Still others are a word taken from the field of sports. (Football is a consistent favorite.)

Safety Tips

The point of this post is to encourage you to from now on use only strong passwords.

At Valet, we believe a tough-to-guess password is at least 12 characters long and made up of a variety of scrambled letters, numerals, and special symbols.

Valet also recommends you never use the same password as your login at more than one website (or to gain access to more than one app). Instead, create a different password for each website or account.

As well, Valet urges you to use a password generator. They’re available free from lots of sources and are tough to beat for assembling a random combination of letters, numbers, and special characters.

Finally, Valet advises you to never share your passwords with anyone, change your passwords often, and use a secure program to store and manage passwords.

If you’d like more information about password strength or just want to pick up more insights about website security, then please send an email to the very helpful and friendly folks at Valet.

Granting Agencies Access And Site Supporting Infrastructure

One of the first things you do, when you're onboarding with new agencies that will do some kind of work on your website, is to grant them access. Before granting them full access you should think, what they need to do, and what level of access is needed in order for the agency to complete the job.

If you are hiring an agency for SEO, likely they will not need full website access. You might say, well, I trust these folks, and what if they outsource the work? Will you trust the third party hired from UpWork?

Every website contains sensitive data, like emails, all kinds of personal data, billing, and revenue details depending on the business, and more. Imagine, someone exports the list of all users you have and send that to your competitor.

Levels Of Admin Access

There are different levels of WordPress admin access from lowest Subscriber to full access Administrator:

WordPress Admin Access From Lowest Access To Full Access List

So, in our case, SEO Agency can use the Editor role, and it will allow them access to the entire content, including Yoast settings for the desired post/page.

In case they need to install a plugin or edit the code, you can always ask your developer or support Agency to do that for them, and by doing that you are limiting the risk.

On top of wp-admin access, we also have server access, DNS access, and access to other 3rd party services you might use (Google Search Console, Google Analytics, and many more). For example, with server access, you can easily delete the entire website if you are not careful.


So, before granting access to these you should always think about what the Agency needs to do, and if this level of access is needed. If you are in doubt, be free to ask your developer or support agency.

Moving from Password Expirey to 2 Factor Authentication

Whether you have a large membership site or just a couple of administrators, it's important to provide a secure login experience. Secure logins help to minimize the chances of data loss, identity theft, and fraud. There are many tools available to help you do this within your WordPress website. Today I will talk specifically about moving from a forced password expiry tool to using 2 Factor Authentication.

Choosing a 2 Factor Authentication tool

Photo by alexander ehrenhöfer on Unsplash

Before you can start using 2FA you need to take stock of how you want the process to work for users. Not all tools work the same, so you have to make sure whatever you pick is right for you. Do you need an app? Is SMS only ok? How many delivery options for the code would you like?

Here are a few examples of 2FA plugins that work a bit differently:

At the end of the day, you need to make sure your delivery options fit your users' workflow and how they are equipped. For example, if your company has a 'no cell phones at work' policy, you don't want to have an SMS 2FA tool. Conversely, if you don't have company email addresses, email only might be problematic.

Test it out

It's very important that you use a staging website to enable and test a plugin like this before you activate it.

You can run into trouble with a tool that may have a conflict with your host or your website code and may lock you out unexpectedly. We actually had this happen when testing a few of the 2FA plugins available.

Moving from Password Expirey to 2 Factor Authentication: WordPress Admin Login one-time password incorrect

Understand how it works before you go live. Try all the various authentication methods and document what was easy and what was not during the process.

If you have a small user base, get them to test it too.

Inform your Users

Once you have chosen the best tool for you, you need to make sure you give your users instructions on how to use it. This can be done via a document in a knowledge base, a video, or whatever your preferred mode of communicating processes is. Your users need to know how it works.

Consider providing links to more in-depth how-to articles. Most tools you will enable are going to have information already available on how to use them. You can also try to anticipate any issues and give a couple of FAQ that you built from your experience testing the tool.

Give everyone a firm deadline and be prepared to do some handholding for a couple of days following the switch.

Enjoy a secure login experience

Moving from Password Expirey to 2 Factor Authentication: WordPress Admin login verification code sent to email

And just like that, you have a more secure login experience! The most important thing here is that you test and communicate the change before going live.

If you have more questions you can always contact us!

Weak Passwords Used by Visitors Can Jeopardize Your Website’s Security—Here’s How to Curb the Risk

As website security vulnerabilities go, weak passwords seem like no biggie.


A friend of mine learned the hard way the truth about weak passwords and the visitors who love them.

So as not to embarrass my friend, let’s keep his name out of this. It’s enough for you to know he operates a successful B2B website with thousands of paying subscribers.

They come to his online enterprise for fast, easy access to hard-to-uncover biz information. Users access these data once they create an account and supply a password.

Most passwords on file at my friend’s site earn at least a grade of B for strength.

However, some deserve a grade of F.

They qualify as weak passwords because anyone with a tiny bit of smarts can guess them.

And guessing them is exactly what happened at his site this past spring. Clever hackers figured out a few very weak passwords and then used them to access the vulnerable customers’ accounts.

From there, they went on to penetrate the website’s inner machinery. Just waltzed right in.

Then they hoovered-up practically his entire trove of super-valuable data—the info his subscribers were paying big bucks to utilize.

To appreciate how valuable my friend’s business-insights data were, check this out. When the thieves broke in, all they took was the biz data. They completely ignored the user credit-card account numbers and anything that might have helped them commit identity theft.

Weak Passwords are Dangerous

The loss of these business data devastated my friend’s enterprise. Nearly sank it, in fact. Thankfully, though, he rebounded and survived to tell the tale.

weak passwords are easy to hack
Typical hacker preys on typical wimpy password user about to go online at an old-style internet cafe.

But the point is, all his woes stemmed from weak passwords. Not his passwords. Those of his site users.

Make no mistake, weak passwords create website security vulnerabilities. In turn, security vulnerabilities hurt website health.

I mention all this because cybersecurity firm SplashData just released a list of the Top 100 weak passwords of 2018. (The Los Gatos, California, company puts out such a list every year after analyzing the millions of passwords stolen during the previous 12 months.)

Topping the new list is an old favorite. It’s 123456. Coming in dead last is qwerty123.

Next time, I’ll list the whackiest of the  weak passwords—but with a twist you’ll see nowhere else. In addition to giving you the weak passwords, I’ll also offer a tongue-in-cheek analysis of what each one reveals about the user’s personality.

OK, sneak preview. The common thread in all 100 weak passwords is laziness. People use weak passwords because it requires no real mental effort to create and memorize them. They also require only a minimum of physical effort to type when asked to give them at login.

Mix Those Characters

So, let’s cut right to the chase. How do you avoid creating weak passwords? How do you instead create strong ones that make hackers hate you?

Here’s what the experts usually suggest.

First, make your passwords at least eight characters long.

Better yet, make ‘em 12 or more characters long.

Second, use a hodgepodge of letters, numbers, and special characters. That’s letters, as in abc. Numbers, as in 123. Special characters, as in !*@.

But don’t go like this: abc123!*@. Yes, that’s nine characters—more than the safe minimum. What’s wrong is it merely groups these different characters instead of shuffling the deck.

The different character types need to be interspersed, like so: ab1*3@c!2

The reason for interspersing is that it forces hackers to work super-hard to crack your password.

And if they have to work super-hard, they may decide it’s not worth the trouble to mess with you. They’ll leave you alone and go try to crack the weak passwords of other people.

Use a Password Generator

Now, it might happen that you lack the time or creativity to come up with a strong password on your own. In that case, use a password generator. It does all the work for you.

Another reason to use one is it arranges characters randomly. Many people end up with weak passwords because they fashion them from easily memorized names or dates.

For example, they’ll use their spouse’s first name as the password. Or their favorite pet’s name. Maybe the address of their home. Or the date of an important anniversary.

Advice to you: don’t do this. At hacker school, cyberthieves learn on the first day of password-cracking class to plug in the names of the targeted person’s loved ones. Those names turn up easily enough in Google searches of public records.

As well, break the habit of saving and storing your passwords on the browsers you use. Your browser is the first place hackers look when they manage to penetrate your firewalls.

Don’t even write passwords down on a sheet of paper. Instead, commit them to memory or use password-management software from a trusted source. Norton comes readily to mind.

Be sure to close your browsers after every online session. Better yet, close them after each visit to a website. According to security experts, an idled but open browser is practically the same as rolling out a red carpet to cyberthieves and putting up a big neon sign that reads “Hackers Enter Here.”

Talk to Valet—They Understand Site Security Issues

Let’s return to the story of my friend the B2B website owner.

After the hacking that nearly ruined him, he took steps to prevent a repeat.

One of those steps involved contacting every user of the site and warning them about weak passwords.

He sent them emails, he used his blog, and he added a passwords section to his website’s FAQ page.

But he did more than just warn. He also provided instructions for how to make wimpy passwords look like Popeye’s biceps after a can of spinach.

The instructions he offered were very similar to those you read here today.

Please take to heart the tips I’ve shared with you. Meanwhile, if you’d like to talk to people who truly understand the role of good security in keeping your website healthy, then please fire off an email to Valet.

Valet has some website health and security ideas you’re going to like.

Does Logging Into Your WordPress Dashboard from a Public Wi-Fi Pose a Website Security Risk? Unlikely, Says Wired

We've always been told not to use airport Wi-Fi. But do we listen? Wired magazine says ignoring the advice might be OK.

Website security ranks high up on the list of things that make for a healthy online property.

Accordingly, Valet devotes much effort to helping you keep your site as secure as possible.

Mostly, that involves looking for weaknesses that hackers could potentially use to carry out their evil plans.

But it also involves reminding you to not do things that needlessly put website security at risk.

Like using an airport’s Wi-Fi network when you need to log into your WordPress dashboard.

Or, using a hotel’s Wi-Fi for that same purpose.

Ditto a coffee shop’s online onramp.

C’mon, you know why those are a bad move, right? It’s because Wi-Fi services in those public locations are, well, public.

And using a public Wi-Fi means that anyone else using that same network can potentially see your activities. As such, when you log into your WordPress dashboard, you risk exposing your user name and password.

The result? Ten minutes after you end that public Wi-Fi session your website about antiques turns into an off-track betting parlor.

Either that or every last drop of your customer data vanishes—hoovered up for use in a million criminal ways.

Website Security Helped by HTTPS

That said, this bit of news from Wired magazine will surprise you. Perhaps shock you, even.

In a Nov. 18 article, Wired gave readers the green light to start using public Wi-Fi free of worry. Here’s the lowdown.

According to Wired, you can thank HTTPS for making it possible to log onto your website (or any other) via a public network. And to do so without fear of throwing website security out the window.

Because of HTTPS, hotel and airport Wi-Fi networks pose less of a threat to website security than they used to. The networks themselves remain as risky as ever. But not the sites you want to visit. Those configured for HTTPS now offer pretty good security.

Perhaps you recall our recent post in this space about HTTPS. Read it here if you need your memory refreshed about HTTPS or if you missed the post.

Basically, HTTPS prevents prying eyes from looking at the website pages loaded onto your screen.

Sure, they still get to see the address of those websites. But that’s about all—unless the website security protocol of the property you’re visiting doesn’t include HTTPS. In that case, anything goes.

Cybercrooks Hunting Better Prey

The Wired article made the point that public Wi-Fi networks are safer today because cybercrooks lost interest in them. More effective for victimizing you are spear phishing and cryptomining. Neither of those requires thieves to lurk around airports, hotels, and cafes.

Wired quoted a website security issues researcher named Chet Wisniewski. He said this:

“A lot of the former risks, the reasons we used to warn people, those things are gone now. I’m telling people to enjoy public Wi-Fi.

“What’s in it for the adversary? Why would you choose monkeying with the Wi-Fi at the airport or the hotel over some other attack method? When you look at the profitability and the risk, it just doesn’t make sense other than an amateur to be doing it for giggles.”

According to another website security expert, the spread of HTTPS drives hackers to adopt other theft strategies. Tod Beardsley said this to Wired:

“If you’re in the U.S., the web is pretty well encrypted. It’s unusual to go to a website that matters and it’s not HTTPS. Because of that, the threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped.”

To support all this, Wired trotted out some interesting statistics. The magazine reported that just 20 percent of the Top 100 websites employed HTTPS as their default position in 2016. Today, the percentage stands at 70.

Other Website Security Ideas Related to Public Wi-Fi

Wired talked about two actions you can take to further play it safe when you use a public Wi-Fi network.

First, use a virtual private network. “A VPN sends all of your traffic through an encrypted connection, meaning that the hotel or anyone else can’t see where you’ve been or what you’re doing,” Wired wrote.

Second, create a private hotspot with the aid of your Smartphone. Wired offered no tips for making that happen. But it did say your phone needed an unlimited data plan in order for the private hotspot to work.

If you care to learn more about website security, please contact Valet. Valet can help you improve your website’s security. Improving website security is the foundational step to improving website health. And website health is foundational to making your online property the success you expect it to be.

Australia’s New Cyber-Snooping Law May Create Website Security Issues Affecting Health of Your Online Property

Australia’s new cyber-snooping law may create website security issues for online properties everywhere—not just in Oz.

Specifically, the website security issues analysts at Valet believe your WordPress site’s health could be affected.

Website health appraisal hierarchy
Valet assesses site health by taking a holistic, hierarchical approach.

Here’s how. The new law requires internet providers serving Australia to remove privacy protections currently preventing police from monitoring encrypted online activity.

Additionally, the law seems to make it OK to share with other countries’ police and spy agencies whatever Australia uncovers.

For example, American law normally prevents the U.S. government from eyeing encrypted visitor sessions at your website. To spy on them, the feds must first get a warrant. (Unless they claim a Fourth Amendment exception carved out in a past Supreme Court ruling.)

However, American authorities can skip the whole due process bit. They need only ask their Australian counterparts to pass along Australian-collected intel relating to the U.S. spy target. Australia’s new law seeks to ensure the continued availability of this intel. And in richer detail.

National Security is Law’s Justification

The Australian parliament approved the new cyber-snooping law on Dec. 6.

According to news reports, a desire to prevent terrorist attacks drove Australian legislators to get onboard with it.

Some observers describe the new law as giving Australian security officials “unprecedented” powers.

From Yahoo News:

“Canberra can compel international providers—including overseas communication giants such as Facebook and WhatsApp—to remove electronic protections, conceal covert operations by government agencies, and help with access to devices or services.

“[Lawmakers] brushed off warnings from tech giants that the laws would undermine internet security….Global communications firms, including Google and Twitter, have repeatedly said the legislation would force them to create vulnerabilities in their products, such as by decrypting messages on apps, which could then by exploited by bad actors.”

There lies the reason this new law creates website security issues. Take away encryption protection to make the police happy and you also end up making cyber-crooks happy.

Yahoo quotes one cybersecurity chief who basically said anyone can use a backdoor once installed. Cops, crooks, kids just messing around. It amounts to vulnerability baked right into the cake and ripe for exploitation.

Remember how in past posts in this space we talked about the magic of HTTPS? Do you recall our descriptions of HTTPS as a boon to internet security?

Well, some or all of HTTPS’s wonderful goodness could go out the window. All it would take is for providers to build backdoors as required by Australia’s new law.

Valet Addresses Website Security Issues

Critics of the law argue that the presence of backdoors represents a blow to privacy-as-a-business-model. They contend that the ability to claim privacy as a value-proposition ends if the law reduces or eliminates privacy.

And now for some hope-stirring news. Various influential organizations in and out of Oz convinced the Australian government to consider modifying the measure in coming months.

What’s more, the government promises to give it a top-to-bottom review in about a year or so to see if it needs extra amending.

Admittedly, this new law may in the end reveal itself as a website security issues nothingburger. In that case, the law likely continues on unchanged.

On the other hand, it might turn out that the critics nailed it. In that case, the government may relent and loosen things up. Time will tell.

In the meanwhile, why not give Valet a shout and invite our team of website security issues experts to poke around under the hood of your site. They’ll almost certainly find at least a few things that can be improved to boost the state of your website’s health.