Another year in the books ... another batch of bad passwords to peruse. We reviewed SplashData’s 2016 and 2015 editions of its “Worst Passwords List” in prior years. When it comes to 2017's rankings, it's possible Yogi Berra's quote, "It's deja vu all over again," has never been more apt.
(Un)Lucky #7 for ‘123456’ and ‘password’
According to SplashData, the Worst Passwords of 2017 was based on more than 5 million passwords that were leaked during 2017. Though the data set was much larger than in earlier years (e.g., 2 million passwords leaked in 2015), results have not changed too much. In fact, “123456” and “password” sit at the top of the heap of the most commonly used passwords for the seventh consecutive year (making them the undisputed champs since the list was first published in 2011).
To shake a little of that "same old, same old" feel, we've changed things up a bit this year. Below, we present the top 25 passwords from the past three rankings. The 2017 passwords in red have been in the top 25 at least twice since 2015 (though the rankings may have changed from year to year).
Rank
|
2017
|
2016
|
2015
|
1
|
123456
|
123456
|
123456
|
2
|
password
|
password
|
password
|
3
|
12345678
|
12345
|
12345678
|
4
|
qwerty
|
12345678
|
qwerty
|
5
|
12345
|
football
|
12345
|
6
|
123456789
|
qwerty
|
123456789
|
7
|
letmein
|
1234567890
|
football
|
8
|
1234567
|
1234567
|
1234
|
9
|
football
|
princess
|
1234567
|
10
|
iloveyou
|
1234
|
baseball
|
11
|
admin
|
login
|
welcome
|
12
|
welcome
|
welcome
|
1234567890
|
13
|
monkey
|
solo
|
abc123
|
14
|
login
|
abc123
|
111111
|
15
|
abc123
|
admin
|
1qaz2wsx
|
16
|
starwars
|
121212
|
dragon
|
17
|
123123
|
flower
|
master
|
18
|
dragon
|
passw0rd
|
monkey
|
19
|
passw0rd
|
dragon
|
letmein
|
20
|
master
|
sunshine
|
login
|
21
|
hello
|
master
|
princess
|
22
|
freedom
|
hottie
|
qwertyuiop
|
23
|
whatever
|
loveme
|
solo
|
24
|
qazwsx
|
zaq1zaq1
|
passw0rd
|
25
|
trustno1
|
password1
|
starwars
|
As noted, 18 of this year's top 25 are repeat offenders, and "new" dictionary words and simple combinations round out the rest of the group. (Even the seemingly random "qazwsx" isn't random at all; it's the letters from the two left columns on a standard keyboard.) Given these lists, it's no wonder password security continues to be a sore spot for organizations (and governments) at all levels.
Check out more tips and articles related to password security.
But, you might be wondering, how many of the 5 million leaked passwords are these passwords? SplashData estimates that about 10% of people have used at least one of this year's 25 worst passwords, with nearly 3% using the worst password ("123456"). If we think about that in terms of a 10,000-person organization, that would equate to 1,000 employees and 300 employees, respectively. It's not very comforting to think of 300 email accounts safeguarded by 123456, is it?
As always, end users remain the key factor in application of password best practices. Cybersecurity awareness training is critical to moving the dial. We recommend making users aware of the importance of good password hygiene; providing interactive training about the techniques they can use to create and remember more complex password constructions; and offering guidance and recommendations about the extra tools (like password managers and multi-factor authentication) that can help them protect their data and yours.