Product Reviews
Take Action

Fight for Fair Finance

Tell the administration and Congress to stand up for the consumer watchdog that protects you from financial fraud and abuse.
Take Action
Why Do We Have Campaigns?
We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

10 passwords you should never use on Facebook—or anywhere

Consumer Reports News: May 11, 2010 10:08 AM

Find Ratings

Many people have had their Facebook account broken into by criminals, according to our latest report on consumer experiences on social networks. One victim told us how a con artist used her friends list to try to obtain money from her personal friends.

How do criminals break into a Facebook account? One way is to guess your password, so it’s important to always use a strong one that’s at least eight characters long, and includes numbers, symbols, and upper- and lower-case letters. (For more advice on staying secure on Facebook, see 7 things to stop doing now on Facebook).

Facebook won’t let you create a password that’s less than six characters long and, when you try to create any password, it will tell you how strong or weak it is. Words found in the dictionary are considered very weak. In fact, when you try to enter many common words, such as “season,” Facebook rejects them and displays this message:

Password change not successful.

You may not use a dictionary word as your password. Please choose a more secure password.

Surprisingly, I found on Monday, Facebook still accepts a number of common short words, even though they are in the dictionary. These should never be used as a password without adding at least one digit and a symbol somewhere in the middle of the word. Here are 10 that I was able to use, even though Facebook rated all of them as “weak”:

  • circus
  • orphan
  • better
  • higher
  • medley
  • valued
  • secure
  • social
  • hijack
  • victim

Another surprise: Facebook accepted some passwords that are nearly as risky, namely a short first name followed by one digit, such as joseph1 and susan1. The site also accepted dictionary words longer than 6 characters, which it rated as weak, such as haircut, blunder, and criminal.

By the time you read this, Facebook may well have blocked the use of the above passwords. But the fact that it accepted them, contradicting its own warning about using dictionary words, is worrisome. If Facebook is to minimize account theft, it should tighten up such loose ends by rejecting all passwords that are too weak, including all common dictionary words.

To find out how strong or weak a password is, try Microsoft’s password checker.

Has your social network account ever been hijacked? If so, share your story below, including any information that may help others avoid the same fate. Also share any tips you may have for creating passwords that are strong but easy to remember.

—Jeff Fox

Jeffrey Fox

Find Ratings

Computers Ratings

View and compare all Computers ratings.

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more