One of my favorite things “found on the web” is the list of 10,000 Most Common Passwords compiled by Mark Burnett at Xato.net That list is six years old as I write this and since then, Mark has complied a new list of 10 million passwords.
He did not actually publish them on his site, or provide a CSV file directly. He gives you a Torrent link on his web page. If you’re so inclined, you can get the file on your own.
He had some great tips for monitoring your accounts:
How can I monitor my accounts to know if they have been leaked?
I would suggest the following:
1.Create a Google alert for your email address, username, and domain if you have one.
2.Create a Pastebin account and set alerts for your email address, username, and domain if you have one.
3.Sign up for account monitoring at haveibeenpwned.com, pwnedlist.com, breachalarm.com, canary.pw, or a similar site (feel free to add similar sites in the comments if you know of others).
A few other tips:
You should be using a long, complex password. Sometimes a site will let you use an eight character password. Make sure it’s AT LEAST nine characters – longer is better. Complex means it should include upper-case letters, lower-case letters, numbers and symbols. Also, please use common sense. Password1! conforms to all of these rules, but is a horrible password for anything that might be exposed to hackers. DO NOT use the same password for everything – for obvious reasons.
I recommend using an encrypted password storage program or service. If you do this, make the encryption key very long, complex and something only you would think of. I use a whole sentence with capitalization and punctuation. Keep in mind, this is the key to the kingdom. On the bright side, you only need to remember that one password. Now, you are free to use passwords like R6X2my+J2x9~58 because you don’t have to memorize them! The password manager will do that. I understand it’s a bit of a pain, but you will definitely improve your online security.
You might have noticed that some web sites, particularly banks, are using two-factor authentication. These sites make you log in with a username and password, then send you a code on a key fob, or your cell phone. You have to enter that code to proceed. Some sites will let you do this, but don’t require it. You should use two-factor authentication when possible. Again, I know it’s inconvenient. Security is inconvenient.