Image of password field and keyboard

Use strong and unique passwords

By Randy Hutchinson

President of the BBB of the Mid-South

Reprinted from The Commercial Appeal

Back to articles

I write a column every few years about the dangers of using simple passwords that are easy for hackers to guess. And every time my research finds that the most common passwords people employ are pretty much the same.

Cybernews analyzed over 15 billion passwords, many stolen in data breaches, and found the five most common in 2025 are:

  1. 123456
  2. 123456789
  3. qwerty – the first five letters on a keyboard
  4. password
  5. 12345

Nordpass and Wikipedia also found 123456 to be the most common. I was a little dismayed to find my son Matthew’s name listed as number 92 by Wikipedia because I used to use “Matt” in many of my passwords; I don’t anymore. Sports (baseball, football, soccer, hockey) and superheroes (superman, batman) also made the top 100, as did a distressing number of naughty words and phrases.

The first tip for creating a password is to not use one of the common, easily guessed passwords. And don’t use your mother’s maiden name, your pet’s name, your high school, or any other word that can easily be found on your social media or other online sources.

A strong password should have at least 12 to 16 characters with a mix of upper- and lower-case letters, numbers and symbols. An article on ScamBusters.org does a particularly good job of explaining the value of more characters. In what are known as “brute force attacks,” hackers can run through billions of possible combinations of characters in seconds. Each character you add increases the number of possible combinations astronomically. Consider that:

  • A one letter password only requires at most 26 guesses.
  • Two letters would create 26 x 26 combinations, or 676.
  • At least twelve characters would create billions of billions of combinations, which ScamBusters.org says would take centuries to run through.

Make your password creative, such as lyrics from a song or a passage from a poem or famous speech. Or use a passphrase that is meaningful enough to you that you’ll remember it but that a hacker couldn’t possibly guess, such as PurpleMilk#367JeepDog$ (which presumably meant something to the author of the article on passwords I found it in).

Once you’ve settled on a strong password, bolster it with other security measures, starting with not using the same password on other accounts or applications. In a process called “credential stuffing,” hackers exploit human nature to reuse passwords by attempting to access accounts using usernames and passwords stolen in data breaches or acquired by other means. In 2023, a restaurant chain with over 240 locations revealed that the information of 340,000 of its customers had been stolen using credentials obtained from third-party sources.

When it’s available and supported by accounts, use two-factor authentication (also called multi-factor authentication) that requires both your password and additional information when logging in. The second piece is generally a code sent to your phone or a random number generated by an app or token. This will protect your account even if your password is compromised. Many devices include fingerprint or facial recognition to unlock them, which helps protect any apps on the device if it’s lost or stolen.

Consider using a password manager, which is a software application that stores and manages online credentials. It can also generate strong passwords.