25 Worst Passwords (Time to Change Them)

You tell your clients all the time about good password policies. You tell your friends and family. You may be able to rattle off in your sleep “unique, long strings of varied characters with multiple numbers, capitals, and special characters.” But just how many people are heeding the call for better security? Has the public started taking cybersecurity seriously?

Well, not really—common passwords and password habits are still pretty bad. But there’s still hope. Much like a glacier, there has been some small, measurable movement in the right direction.

SplashData, a password-management application provider, has released the fifth edition of their annual “Worst Passwords List,” putting the spotlight on the poor password habits of Internet users. Unbelievably, the most terrible—and most common—passwords remain the same: “123456” and “password.”

Despite all of the warnings and notifications that have attempted to permeate the public consciousness, people are still using these risky and unsafe options, leading to the conclusion that they either don’t know or don’t care about the great risk such weak passwords pose to their data.

If you use any of the following passwords, please—PLEASE—go change them now. We’ll wait.

25. starwars (New)
24. passw0rd (New)
23. solo (New)
22. qwertyuiop (New)
21. princess (New)
20. login (New)
19. letmein (Down 6)
18. monkey (Down 6)
17. master (Up 2)
16. dragon (Down 7)
15. 1qaz2wsx (New)
14. 111111 (Up 1)
13. abc123 (Up 1)
12. 1234567890 (New)
11. welcome (New)
10. baseball (Down 2)
9. 1234567 (Up 2)
8. 1234 (Down 1)
7. football (Up 3)
6. 123456789 (Unchanged)
5. 12345 (Down 2) - remind any of you of this classic Spaceballs scene??
4. qwerty (Up 1)
3. 12345678 (Up 1)
2. password (Unchanged)
1. 123456 (Unchanged from 2014)

This list was compiled from over two million leaked passwords over the course of 2015, and some interesting trends have emerged.

First, it appears that users have begun to create longer passwords, perhaps a result of new site requirements that specify as much. In doing so, however, users have managed to render these longer passwords just as useless as shorter ones with perfectly predictable patterns, often dictated by a simple swipe of a finger over the keyboard in one direction.

If Keyboard Cat got a hold of your PC...


image source:

Next, it’s obvious that sports are still top-of-mind among bad-password creators. “Football” and “baseball” are top-ten offenders, but how they are ranked tells an even more interesting story. For the first time, “baseball” has dropped in this lists’ rankings while “football” has risen, leaving one to wonder whether the moniker of “America’s Favorite Pastime” should be passed to a new reigning leader.

Filling out the rest of this list of poor passwords are flights of the fantastic--perhaps the antithesis of a sound cybersecurity strategy but perhaps a good indicator of what’s on the mind of those hitting the Internet. Star Wars permeated pop culture once again in 2015, and words like “solo” (as in Han Solo), “princess” (as in Princess Leia), and “starwars” (As in Star Wars) all made the list. The Force isn’t with these poor passwords, though. There’s also “dragon”—because who doesn’t think dragons are cool—coming in at number 16.

These types of short, searchable, identifiable and specific words are some of the all-time worst for password management, and often used across multiple sites, exponentially putting the user at risk like dominoes falling in a line. Hackers use algorithms to plug in these words as easily as turning a key—all they need is the opportunity.

In a press release, Morgan Slain, CEO of SplashData, said “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers. As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

The company lists three tips for better password security:

  • Use passwords or passphrases of twelve characters or more with mixed types of characters
  • Avoid using the same password over and over again on different websites
  • Use a password manager to organize and protect passwords, generate random passwords and automatically log into websites

What types of poor passwords have you encountered? Is password strength a priority for your clients? Let us know in the comments!

Joseph Tavano is senior copywriter at Continuum. Read more Continuum blogs here.