Today I got to look at the user table in an application with passwords stored as plain text. Out of around 7100 users, over 170 have the password “password.” Around 10 other users had heard that your passwords should contain letters and numbers, and thoughtfully chose the password “password1.” Needless to say, this application should probably store hashes of the passwords rather than storing them in plain text and also use some basic test of strength for the passwords that requires more than just lower case letters. What the experience left me with, though, was a burning desire to thwart users who specifically want to use the word “password” or any variation thereof as a password. I even want to create a special error message just for them, just to let them know that their combination of laziness and cleverness is not appreciated. Here’s a regular expression that matches many, many variations on the word password: /^p[a4@][s5][s5]w[o0]rd(\d*|\W*)$/i You too can stamp out the blight of your users using “password” as their password. Update: Accounted for people who substitute the letter “s” with the number “5.” Update: Now “p@ssword” is not allowed, either.