author photo
By SecureWorld News Team
Thu | Oct 10, 2019 | 7:50 AM PDT

National Cybersecurity Awareness Month is a great time to remind everyone you know that there are 15 extremely overused and ridiculously vulnerable passwords they should never use.

Let's take a look at the worst password list for the last few years. And because little changes (as you'll see), the worst offenders have staying power.

Worst passwords people use: top 15 list

SplashData analyzed millions of leaked passwords that revealed the most popular (and worst) passwords people are using. These are incredibly easy for hackers to guess.


The passwords from the 2018 list which are in bold have been discovered on the worst password list at least three out of the last four years.

In other words, many users just keep going with what's easy. 

And beyond the obvious ones you see here, there are more "hot" passwords that cybercriminals know to try.

Morgan Slain, SplashData CEO, puts it like this:

"Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations."

Weak passwords create risk for users and organizations

And the weak and risky password problem typically extends to multiple accounts, including the organization's corporate logins.

Research shows an estimated 10% of employees use a "worst password" on the list.

Gretel Egan, security awareness training specialist for Proofpoint, frames the issue like this:

"As you consider your comfort level with 10% of your employees using one (or more) of these passwords to safeguard their accounts, you should also consider what you're doing to help move the dial on password hygiene.

Instead of chalking these behaviors up to laziness, think instead about how daunting a task it is to create, remember, and manage a stable of complex passwords—a stable that only continues to change and expand—while also being told that you can't reuse passwords or write anything down."

New NIST guidelines on passwords

Just like everyone else, hackers are automating their account break-ins and takeovers. This means a stolen or leaked password you use on one account can quickly be tried against your other accounts by an automated program.

So how can you protect yourself, your employees, and your organization? NIST issued new password guidelines in 2018 and offered these tips for quickly increasing password security:

  1. Use multi-factor authentication (MFA) if you have the option, instead of relying on passwords alone. Or require this for employee logins.
  2. Use a phrase with multiple words you can picture in your head. For example: "IeatChipotleontuesday" (your Tuesday lunch choice) or "homestarbucksofficehome" (your daily routine).
  3. Use a password manager like Keeper or LastPass to save your passphrases so you don't have to remember them. This increases the likelihood you or your employees will make each one unique.
Should organizations blacklist certain passwords?

Perhaps you have implemented a password blacklist at your organization that prevents the "worst passwords" from being used. However, for an increasing number in security, this is just a start:

"I understand the intent of providing a black list of passwords users should not use. However, I think the larger problem is that passwords are a poor choice of authentication and we are stuck with it," says Chris Morales, head of security analytics at Vectra.

"We need a system that is easier for a user to use and implement without having to remember so many rules on what can or cannot be applied to a password.

Multi-factor authentication, leveraging who you are (biometrics) and what you have (authenticator app tied to specific device), are much stronger than any password regardless of what list that password might be on."

And moving beyond the password is certainly something we've been hearing more about during our 2019 cybersecurity conferences.