In spite of everything—the leaks, the breaches, the myriad privacy risks—a large majority of people are still using “password” and “123456” as their password. Folks, it’s long past time to stop taking security shortcuts.
Security services firm SplashData has released its ninth annual Worst Passwords of the Year list, which assesses more than 5 million leaked passwords to determine those most commonly shared by hackers. This year’s list has revealed that people are still using easily guessable and common passwords to guard their data, including those frequently cited in past reports as being particularly susceptible to attacks.
While “password” fell two spots on this year’s list compared to last year’s, it remains in the top five—along with “123456" and “123456789.” There are some newcomers to the list, such as “qwertyuiop” and various repeated number sequences like “7777777,” however the report notes that even passwords that appear complicated are rather created using keys situated next to each other on the keyboard. It adds that these types of passwords “may seem to be complex but will not fool hackers who know millions of people use them.”
Behold, the worst of the worst:
1 - 123456 (rank unchanged from 2018)
2 - 123456789 (up 1)
3 - qwerty (Up 6)
4 - password (Down 2)
5 - 1234567 (Up 2)
6 - 12345678 (Down 2)
7 - 12345 (Down 2)
8 - iloveyou (Up 2)
9 - 111111 (Down 3)
10 - 123123 (Up 7)
11 - abc123 (Up 4)
12 - qwerty123 (Up 13)
13 - 1q2w3e4r (New)
14 - admin (Down 2)
15 - qwertyuiop (New)
16 - 654321 (Up 3)
17 - 555555 (New)
18 - lovely (New)
19 - 7777777 (New)
20 - welcome (Down 7)
21 - 888888 (New)
22 - princess (Down 11)
23 - dragon (New)
24 - password1 (Unchanged)
25 - 123qwe (New)
And an additional 25 from SplashData-owned TeamsID:
26 - 666666
27 - 1qaz2wsx
28 - 333333
29 - michael
30 - sunshine
31 - liverpool
32 - 777777
33 - 1q2w3e4r5t
34 - donald
35 - freedom
36 - football
37 - charlie
38 - letmein
39 - !@#$%^&*
40 - secret
41 - aa123456
42 - 987654321
43 - zxcvbnm
44 - passw0rd
45 - bailey
46 - nothing
47 - shadow
48 - 121212
49 - biteme
50 - ginger
“Our hope by publishing this list each year is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off,” SplashData CEO Morgan Slain said in a statement. “We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.”
Data breaches are, unfortunately, an inevitability. But using strong, unique passwords for each of your accounts can prevent a bad actor from using the leaked credentials of one login to access various other accounts. The easiest way to do this with a password manager, which will randomly generate unique passwords for all of your accounts and store them for you so that you aren’t tempted to recycle common, similar, or otherwise weak passwords for your accounts—be it for your bank or Netflix. Everyone should also enable two-factor authentication everywhere it’s available, preferably using an authentication app (which is baked into many password managers).
And for the love of god, please stop using “password” as your password—no matter the account.