Cars Ranked By Their Popularity As Passwords

Car Passwords Ts2
ADVERTISEMENT

If you’re new around here, I’m sorry to tell you—the Internet is not a safe place. Roaming bands of online bandits are out to get you, and your choice of password is often all that’s holding them back. As it turns out, one’s choice of password can be a window to the inner self. It can reveal a cherished pet, a loved one’s birthday, or even the car that most captivates our heart and soul. The latter is what concerns us today, so I decided to find out—which cars make for the most popular passwords?

My analysis is based on a popular list of the 10,000 most popular passwords, which you can read yourself on Wikipedia if you so desire. It’s actually part of a much longer list of the 10 million most popular passwords, first published in 2015 by security researcher Mark Burnett. The list was compiled from illicit leaks of usernames and passwords from a wide variety of websites and services, and was created as a guide to help people pick stronger, better passwords. More recent lists exist, but seldom few include more than a couple hundred entries. Thus, we’ll root our study in the year that Dieselgate changed the world.

Oh, and just a note for those not up with security topics—you shouldn’t use any of these obvious passwords. It can make it trivially easy for hackers to access your accounts should they be victim to a leak.

Right away, there’s a strong, clear dominance of one automotive icon above all others. It’s the Ford Mustang, an American hero clothed in the red, white, and blue. Now, few of us would argue against the idea that the Mustang is popular, but in password terms, it absolutely destroys all opposition. No other automaker or model gets close, in password terms. Coming in as the #23 most popular password, “mustang” ranks up there with other legends like “baseball”, “dragon”, and “qwertyuiop.” It even outperforms such thigh-slappers as “fuckyou” (#31), “starwars” (#59), and “computer” (#64).

20231211 115810

Indeed, another celebrated member of the Detroit dynasty comes in as the second most popular car password. “corvette” was the 102nd most popular choice, likely favored due to its easy memorability and the fact it satisfies any site that wants eight letters or more as a minimum length requirement. It’s indicative of a strong American tilt to the results, almost certainly due to the sources that were included in the analysis. “maverick” comes in at #138, but somehow, I suspect that most users didn’t pick this as a tribute to Ford’s obscure compact car built from 1970 to 1977 in North America, Brazil, and Venezuela. The name would only gain serious automotive relevance again when Ford announced its new compact pickup in 2022, long after this dataset was compiled.

We don’t have to go much farther down the list to find more car references though. We see “camaro” claiming third place at #140, rounding out the podium for American muscle cars. Sadly, Dodge doesn’t really rate; “charger” only ranks #1509, for example.

2012 Camaro Ss 042
Good old American muscle dominates the list.

Bougie cars start to show up at this point, tailing behind the best of America’s automotive output. The Prancing Horse leads the charge, with “ferrari” ranking #147. You could certainly argue for “falcon” at #145 or “morgan” at #143 if you were particularly British, but you wouldn’t convince this hackneyed Australian journalist that they had true merit as automotive references for most people. We then see “mercedes” at #153 and “porsche” at #179. Indeed, the latter could have scored higher had Porsche’s fans been less security conscious; the vote was split with “porsche1” and “porsche9” also very popular choices in the lower end of the top 10,000. Indeed, these brands outperformed such cultural heavyweights as “cocacola” (#243), “marlboro” (#249), and even the wizard who is never late (“gandalf”, #250). There’s a bevy of dirty words that all fall in this range too, and I’m smart enough not to jeopardize myself by printing them here.

At this stage, there are also a few other entries that deserve honorable mentions. Fans of a big American hog will appreciate “harley” at #45. The world’s premiere stock car racing series also stakes its popularity on the list, with “nascar” coming in at #161. “yamaha”, Japan’s manufacturer of fine motorcycles, pianos, and synthesizers, also stars early at #197.

You might have expected Toyota to do well, given it is regularly the best-selling automaker in the world. The passion for affordable, reliable vehicles runs deep, and it’s the first Japanese automaker on the list at #271. For the Brits, “jaguar” (#350) is the first on the list, but it’s a hollow victory of sorts; big cats are popular and “panther” got #260, so it’s hard to entirely credit the company with this one. “nissan” does well to come in at #424,  while the company’s ever-popular “skyline” scores at #886.

Pontiac outperformed Holden, despite the former dying first.

Brands you’ve heard of pop up across the rest of the list. “saturn” gets a low entry at #494, and “mercury” at #727, but both are planets, which boosts their fanbase. Chevrolet is in at #651 as “chevy”, closely followed by “suzuki” (#724), “hummer” (#742), “honda” (#797), and “ford” (#806).

Stellantis brands aren’t so hot, though, with “dodge” (#1892) , “jeep” (#2388), and “chrysler” (#5703) all doing poorly. Indeed, they’re beaten by “lincoln” at #1077, and “pontiac” (#1101) despite the latter being dead for years. Hell, even Nissan’s front-wheel-drive sedan did better (“maxima”, #1183). The Australians are well down the list, with “holden” scoring a nonetheless respectable #1711, just ahead of Volkswagen’s family sedan (“passat”, #1802).

It’s interesting to note which models and brands perform better than others. Aspirational brands with strong passion behind them do best. Meanwhile, the very top performers are those models which owners tend to make a major part of their identity—hence the Mustang and Camaro doing so well. It’s a similar story for other passwords in the list, too. There are a lot more Metallica fans than Pantera fans in the world, but to the latter group, Pantera forms a much deeper part of who they are. That might help explain why James Hetfield’s band finished second to Dimebag Darrell’s; they came in at #557 and #556 respectively. Similar effects are likely at play behind the “firebird” (#1079) and “integra” (#1244) outperforming “vauxhall” (#8343) and “hyundai” (#9956), too.

Hyundai I30 N Reveal 02
Hyundai’s design and brand cache has come a long way since 2015; but is it more popular as a password? It’s an open question almost nobody is asking.

Overall, you might be getting strong Baby Boomer or Gen X feels from this list, and you would be right in that assumption. “vanhalen” and “seinfeld” are high up the list in the 1900s, while the Millennial set will appreciate “naruto” at #705″ and “cartman” at #523.

The cars reflect the biggest pop culture references of these generations. It would be interesting to do a similar survey on more recent password dumps and see how trends have changed over time. Maybe Gen Z are all logging in with “altima” and “fiat500”. However, our shifting culture and technology frustrate that effort. These days, even poorly-built websites tend to demand the insertion of numbers and symbols which makes simple passwords impossible to use anymore. More contemporary lists are typically shorter, too, with a few hundred entries at most—not enough to get a rich cross section of the automotive passwords commonly used in the wild.

I hope you’ve enjoyed this dive into the incredibly niche world of automotive passwordery. Feel free to share your own password in the comm – just kidding, we all know it’s “browndieselmiatawagon427.” Oh, and if one of your passwords was actually listed above? You, uh … you should really consider going with something more secure. Stay safe out there!

Image credits: Ford, Nissan, GM, Hyundai, Google screenshot

About the Author

View All My Posts

96 thoughts on “Cars Ranked By Their Popularity As Passwords

  1. I do have a bunch of spreadsheets at work that are locked to prevent format changes with various Nissan and Honda engine codes, but those don’t get out on the internet.

  2. I’ve only got one password that references a car (engine code) and it’s part of a longer convoluted password. I couldn’t imagine making a basic password like “mustang” or “corvette” lol.

      1. There’s nothing more satisfying than handing over a password for a new person to sign in that’s like, RaiseHellPraiseDaleSweetN!nePoundEight0unceLittleBabyJesus@42 and telling them yeah, you need to change that after logging in.

  3. The key is to create a passphrase based on something you like or that is highly memorable but doesn’t use any of the direct words. For example, pretend me drives a blue Porsche 911 Targa. So my passphrase based on that fact could be ToplessOceanEmergency69! That’s… secure…

  4. I’ve always considered cars to be fairly strong passwords, considering the mix of letters and numbers. I figure obscure and detailed would be important for security though. So instead of “Fiat500,” perhaps “1984BertoneX/19,” gets a good mix of numbers, letters, and special characters

  5. With the internet being what it is, I have a strong inkling that “hummer” is not really correlated to the truck. Rhyming with truck? More than likely 🙂

  6. You can use car names, you just gotta go upmarket for the good choices. LandRoverRangeRoverEvoque2.0TD4E-Capability4x4HSEDynamic.
    LamborghiniAventadorLP750-4SuperveloceRoadster.
    Boom! Instant security.

    1. You can CorrectHorseBatteryStaple it for more security by dreaming up some horrifying engine swap/ mashup too. SAAB2stroke914Schwimmwagen, just off the top of my head.

  7. I did once use a couple variations on El Camino as a password, but not “elcamino” that pops up at 6965 (so, I guess that was working well?). Of all the vehicles I’ve owned, “liberty” is apparently the highest ranking one “728), but I don’t think it’s actually driven by KJ fans.

    I was going to say motorcycles might be the answer (lots of letters and numbers), but both gsxr750 and gsxr1000 show up, so you might have to get a little more obsure. “holygrail5spdzj” isn’t popular yet.

    Lastly, shout out to the people who managed to popularize “mazda626” – it’s on the list, but apparently Miata is not always the answer.

      1. The story, all names, characters, and incidents portrayed in this production are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred.

  8. “It can make it trivially easy for hackers to access your accounts should they be victim to a leak.”

    If there’s a leak and the hacker has the login info what difference does it make if my password is PorscheSuxBallz! or %5+dAP’wP*ry5$? At least I have some chance of remembering the former.

    Besides don’t most websites have multi level confirmation now? Otherwise why do I always have to go dig up my phone to press the button that says YES it’s me damnit!

    1. It wasn’t clear, but I think the point is that people who use stupid passwords probably reuse stupid passwords. You should have passwords that are unique and difficult to guess for every account.

      1. Again why would that matter? A password is useless without the website and account its paired to. If a hacker gets it from your personal device I’d expect they will get the passwords too, if so it wouldn’t matter what the password is.

        Introducing a delay between attempts and a lockout/reset after a certain number of failed attempts is what most sites I use do to prevent hacking. Sure they MIGHT guess PorscheSuxBallz! on the first couple of trys but its more likely they’d try Porschesuxballz, PorscheSucksBalls, FlatSixBeetleSuxBallz! GoddamnIt!PorschesFUCKINGSUCK!!! and several others first triggering a lockout.

        1. Websites with decent security do not store your actual password. So when they are hacked, hackers don’t just open a virtual box with a bunch of passwords inside. The passwords are hashed, and the website only stores the hash result. More complex passwords (1) are more difficult to guess w/ brute force/computing power, (2) result in more complex hash results, when are themselves more difficult to decode when the site is hacked.

          I do agree on length being more important than character types. I believe those requirements are just a way to force you not to use something extremely stupid like “camaro” or “mynameisjohn,” but I’m not a big enough nerd to know for sure.

          Please, everyone, just use a password manager (which, again, does not have your actual passwords! so it’s safe!)!

    2. Yes, complex passwords are mostly useless. It just makes them harder to remember, and therefore more likely to write it down or otherwise have it somewhere easy for bad actors to find. Expiring passwords have the same problem, it’s not like a hacker is going to give you a grace period after stealing your password.
      Length is the best defence, but only against brute force/dictionary attacks which no one is gonna use to get your facebook password. All those rules mean nothing for leaked databases or if you fall for a phishing scam.

      1. you fall for a phishing scam.

        Which is how the vast majority of identity theft actually happens these days. Nobody bothers attacking the encrypted passwords because it’s so much easier to trick someone into giving you their password.

    3. I’m a big proponent of using song lyrics for passwords. Length is the best security, and having a good, easily memorable phrase (and tons to choose from) help all the more.

        1. I use the complete text of 19th century romantic novels. You’ll have to guess which ones though.

          The Bronte sisters don’t want you to know this one little trick to secure your online accounts.

  9. “For the Brits, “jaguar” (#350) is the first on the list, but it’s a hollow victory of sorts; big cats are popular and “panther” got #260, so it’s hard to entirely credit the company with this one.”

    Panther was also a British car company.

    I still want a Panther Solo.

  10. Remember folks, random alphanumerics are relatively easy for computers to guess. Go for long phrases that are easy for you to remember. Every character you add makes it harder for a computer to brute-force it.

    “AnAlligatorWasSpottedOnTheMoonIn1948” for example.

    1. Interesting, what about those passwords that iPhones suggest when you are opening an account somewhere? If I know its something I am going to use only on my phone I go for it, but if I am going to open that application in my computer hell no lol so random

      1. So I put in some random gibberish, SKIJ*(879*&$%, in the first random password strength checker google turned up, it gave me 78 thousand years to crack the password.

        Using AnAlligatorWasSpottedOnTheMoonIn1948 I got 5 billion years. 5 orders of magnitude higher.

        Complexity doesn’t really matter to a computer, upper, lower case, special characters, eh. It runs through them at the same speed. However every additional character adds a significant amount of time

        1. But that’s all theoretical. In practice, any site worth hacking (e.g., banks, even ecommerce sites that store payment information) will lock out a user after a few consecutive unsuccessful attempts. And no hacker is using an automated brute-force attack to hijack Kinja accounts and post bad takes over on the other site and its siblings (or maybe they are, and that explains a few things…)

          You can use your alligator password if you want, but the “strong” passwords suggested by password managers are more than adequate if that’s someone’s preference.

          1. Oh 100%. Its so much easier to get ahold of the database of usernames and passwords through social engineering or bad IT practices.

            But we weren’t talking about how you’d actually go about hacking an account.

            1. Of course we were talking about how to hack an account. That’s the whole point of guessing someone else’s password — to gain access to their account. And it doesn’t matter if it would take a supercomputer 1,000 years of 1,000,000 years to guess a given password — your account won’t be compromised as long as the provider locks out further attempts after a few consecutive failures, which is how all accounts worth breaking into operate.

                1. And, since you are more likely to need to reference a list to recall a difficult to remember password, less likely to be written somewhere near your computer or stored in a file that may not be secure.

                2. Oh, ok. You win. You are very smart. I’m going to change all my passwords to stories about alligators now that would take a supercomputer 5 billion years to guess instead of the password manager generated ones that would take it only 100 thousand years… even though the accounts get locked after 3 incorrect tries. I can’t believe how vulnerable my accounts were before!

                  Is that what you wanted to hear?

          2. Yes, the most important thing is not to compromise your password. Use a different one on your banking site than your email address, and definitely use a different one for Kinja or whatever else. If you use the same (or very similar) password all over the place, it’s only as strong as the weakest website you use it for.

      2. Use a password manager that syncs across devices. Have it pick and fill in messed up passwords for you. Don’t bother remembering any of them.

      1. It is an exact science (for a given computer) if someone was using a brute force attack checking every possible combination… which no one is gonna do for one randos amazon account.

    2. It seems to me the easiest way to foil brute force attacks is to require a delay between attempts, say 3 seconds for the first 5 tries then 10 minutes till you can try again. After three of those you get locked out and have to call IT to reset.

      At least that’s how my bank does it.

      1. I don’t think anyone brute forces through a website. Even without a delay, the round trip of sending the login request and waiting for a response makes it impractical. The reason you want a brute force-resistant password is for the inevitable password database leak that will happen to a site you’ve used and expose your hashed password. Once an attacker has that hash, they can attempt as many combinations as they have processing power.

Leave a Reply