In spite of everything—the leaks, the breaches, the myriad privacy risks—a large majority of people are still using “password” and “123456” as their password. Folks, it’s long past time to stop taking security shortcuts.
Security services firm SplashData has released its ninth annual Worst Passwords of the Year list, which assesses more than 5 million leaked passwords to determine those most commonly shared by hackers. This year’s list has revealed that people are still using easily guessable and common passwords to guard their data, including those frequently cited in past reports as being particularly susceptible to attacks.
While “password” fell two spots on this year’s list compared to last year’s, it remains in the top five—along with “123456″ and “123456789.” There are some newcomers to the list, such as “qwertyuiop” and various repeated number sequences like “7777777,” however the report notes that even passwords that appear complicated are rather created used keys situated next to each other on the keyboard. It adds that using these types of passwords “may seem to be complex but will not fool hackers who know millions of people use them.”
Behold, the worst of the worst:
1 – 123456 (rank unchanged from 2018)
2 – 123456789 (up 1)
3 – qwerty (Up 6)
4 – password (Down 2)
5 – 1234567 (Up 2)
6 – 12345678 (Down 2)
7 – 12345 (Down 2)
8 – iloveyou (Up 2)
9 – 111111 (Down 3)
10 – 123123 (Up 7)
11 – abc123 (Up 4)
12 – qwerty123 (Up 13)
13 – 1q2w3e4r (New)
14 – admin (Down 2)
15 – qwertyuiop (New)
16 – 654321 (Up 3)
17 – 555555 (New)
18 – lovely (New)
19 – 7777777 (New)
20 – welcome (Down 7)
21 – 888888 (New)
22 – princess (Down 11)
23 – dragon (New)
24 – password1 (Unchanged)
25 – 123qwe (New)
“Our hope by publishing this list each year is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off,” SplashData CEO Morgan Slain said in a statement. “We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.”
Data breaches are, unfortunately, an inevitability. But using strong, unique passwords for each of your accounts can prevent a bad actor from using the leaked credentials of one login to access various other accounts. The easiest way to do this with a password manager, which will randomly generate unique passwords for all of your accounts and store them for you so that you aren’t tempted to recycle common, similar, or otherwise weak passwords for your accounts—be it for your bank or Netflix. Everyone should also enable two-factor authentication everywhere it’s available, preferably using an authentication app (which is baked into many password managers).
And for the love of god, please stop using “password” as your password—no matter the account.