Bad passwords … they are a gateway to account compromise, but users continue to opt for easy-to-remember options rather than creating strong, unique credentials. We've been reviewing SplashData’s annual “Worst Passwords List” for several years, and we've seen too much similarity for comfort from year to year. Though we saw some newcomers to 2018’s rankings, “123456” and “password” continue their undisputed reign (as they have for eight consecutive years).
Below, we present the top 25 passwords from the past four rankings. The 2018 passwords in red have been in the top 25 at least twice since 2015 (though most of these are third- or even fourth-time offenders). We’ve also noted passwords that have not been in the top 25 before. One trend we noted: a resurgence in popularity of some passwords (like “111111” and “sunshine”) that haven't been among the top ranks since 2015 or 2016.
Rank
|
2018
|
2017
|
2016
|
2015
|
1
|
123456
|
123456
|
123456
|
123456
|
2
|
password
|
password
|
password
|
password
|
3
|
123456789
|
12345678
|
12345
|
12345678
|
4
|
12345678
|
qwerty
|
12345678
|
qwerty
|
5
|
12345
|
12345
|
football
|
12345
|
6
|
111111
|
123456789
|
qwerty
|
123456789
|
7
|
1234567
|
letmein
|
1234567890
|
football
|
8
|
sunshine
|
1234567
|
1234567
|
1234
|
9
|
qwerty
|
football
|
princess
|
1234567
|
10
|
iloveyou
|
iloveyou
|
1234
|
baseball
|
11
|
princess
|
admin
|
login
|
welcome
|
12
|
admin
|
welcome
|
welcome
|
1234567890
|
13
|
welcome
|
monkey
|
solo
|
abc123
|
14
|
666666 (new)
|
login
|
abc123
|
111111
|
15
|
abc123
|
abc123
|
admin
|
1qaz2wsx
|
16
|
football
|
starwars
|
121212
|
dragon
|
17
|
123123
|
123123
|
flower
|
master
|
18
|
monkey
|
dragon
|
passw0rd
|
monkey
|
19
|
654321 (new)
|
passw0rd
|
dragon
|
letmein
|
20
|
!@#$%^&* (new)
|
master
|
sunshine
|
login
|
21
|
charlie (new)
|
hello
|
master
|
princess
|
22
|
aa123456 (new)
|
freedom
|
hottie
|
qwertyuiop
|
23
|
donald (new)
|
whatever
|
loveme
|
solo
|
24
|
password1
|
qazwsx
|
zaq1zaq1
|
passw0rd
|
25
|
qwerty123 (new)
|
trustno1
|
password1
|
starwars
|
SplashData indicated that it analyzed more than five million leaked passwords for this year’s list, and that most were from users in North America and Western Europe. (The organization did note, however, that exposed passwords from hacks of adult websites were not included in the analysis.) Like last year, 18 of this year’s top 25 are repeat offenders, and the variety noted in the new entrants show users’ misguided attempts to add complexity. For example, the seemingly complicated “!@#$%^&*” is simply the “Shift” symbols over numbers 1 through 8 on a standard keyboard.
In speaking about the list, Morgan Slain, SplashData CEO, cautioned, “Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations.” In fact, it’s estimated that 10% of people have used at least one of this year’s 25 worst passwords, and that nearly 3% have used “123456.”
As you consider your comfort level with 10% of your employees using one (or more) of these passwords to safeguard their accounts, you should also consider what you’re doing to help move the dial on password hygiene. Instead of chalking these behaviors up to laziness, think instead about how daunting a task it is to create, remember, and manage a stable of complex passwords — a stable that only continues to change and expand — while also being told that you can’t reuse passwords or write anything down.
End users will always be the key to proper application of password best practices, and security awareness training remains the best avenue for influencing behaviors and reducing risk. We recommend making users aware of the importance of good password hygiene; providing interactive training about the techniques they can use to create and remember more complex password constructions; and offering guidance and recommendations about the extra tools (like password managers and multi-factor authentication) that can help them protect their data and yours.