Although bad passwords are a gateway to account compromise, users continue to opt for easy-to-remember options rather than creating strong, unique credentials. SplashData’s annual “Worst Passwords List” illustrates the long-standing nature of the problem; though there were some newcomers to 2018’s top 25 rankings, “123456” and “password” continue their undisputed reign (as they have for eight consecutive years).
But the issue goes deeper than these two offenders, as can be seen in the following chart, which presents the top 25 worst passwords from the past four rankings. The 2018 passwords in bold have been in the top 25 at least twice since 2015 (though most of these are third- or even fourth-time offenders). One trend to note for this year is the resurgence in popularity of some passwords (such as “111111” and “sunshine”) that haven't been among the top ranks since 2015 or 2016.
Rank |
2018 |
2017 |
2016 |
2015 |
1 |
123456 |
123456 |
123456 |
123456 |
2 |
password |
password |
password |
password |
3 |
123456789 |
12345678 |
12345 |
12345678 |
4 |
12345678 |
qwerty |
12345678 |
qwerty |
5 |
12345 |
12345 |
football |
12345 |
6 |
111111 |
123456789 |
qwerty |
123456789 |
7 |
1234567 |
letmein |
1234567890 |
football |
8 |
sunshine |
1234567 |
1234567 |
1234 |
9 |
qwerty |
football |
princess |
1234567 |
10 |
iloveyou |
iloveyou |
1234 |
baseball |
11 |
princess |
admin |
login |
welcome |
12 |
admin |
welcome |
welcome |
1234567890 |
13 |
welcome |
monkey |
solo |
abc123 |
14 |
666666 (new) |
login |
abc123 |
111111 |
15 |
abc123 |
abc123 |
admin |
1qaz2wsx |
16 |
football |
starwars |
121212 |
dragon |
17 |
123123 |
123123 |
flower |
master |
18 |
monkey |
dragon |
passw0rd |
monkey |
19 |
654321 (new) |
passw0rd |
dragon |
letmein |
20 |
!@#$%^&* (new) |
master |
sunshine |
login |
21 |
charlie (new) |
hello |
master |
princess |
22 |
aa123456 (new) |
freedom |
hottie |
qwertyuiop |
23 |
donald (new) |
whatever |
loveme |
solo |
24 |
password1 |
qazwsx |
zaq1zaq1 |
passw0rd |
25 |
qwerty123 (new) |
trustno1 |
password1 |
starwars |
SplashData analyzed more than five million leaked passwords for this year’s list, noting that most were from users in North America and Western Europe. (They also noted that exposed passwords from hacks of adult websites were not included in the analysis.) Like last year, 18 of this year’s top 25 are repeat offenders, and the variety seen in the new entrants show users' misguided attempts to add complexity. For example, the seemingly complicated "!@#$%^&*" is simply the “Shift” symbols over numbers 1 through 8 on a standard keyboard.
In speaking about the list, Morgan Slain, SplashData CEO, cautioned, “Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations.” In fact, it’s estimated that 10% of people have used at least one of this year’s 25 worst passwords, and that nearly 3% have used “123456.”
As you consider your comfort level with 10% of your employees using one (or more) of these passwords to safeguard their accounts, you should also consider what you’re doing to help move the dial on password hygiene. Instead of chalking these behaviors up to laziness, think instead about how daunting a task it is to create, remember, and manage a stable of complex passwords—a stable that only continues to change and expand—while also being told that you can’t reuse passwords or write anything down.
End users will always be the key to proper application of password best practices, and security awareness training remains the best avenue for influencing behaviors and reducing risk. Here are some proactive ways to break the cycle: