"123456" Still Reigns Supreme on Worst Passwords List

Published on December 19, 2017
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack

"123456" has once again topped an annual list of the worst passwords created by users in North America and Western Europe. On 19 December, password management provider SplashData released the 2017 edition of its "Worst Passwords of the Year" list. The dataset comprises five million leaked passwords exposed by data security incidents over the course of the year. As reported by Time, the list does not include any credentials from the breach of all three billion Yahoo users' accounts, a compromise which originally occurred in 2013 but the full extent of which emerged in October 2017. Consistent with the past three years' lists, "123456" came in as the worst password used by people living in North America and Western Europe for 2017. Keeper Security's list for 2016 saw "password" register at eighth place. However, SplashData's 2017 compilation reveals that "password" is still (or once again) at Number 2. It got there by beating out other abhorrent password choices including "12345678," "qwerty," and "letmein." Further on down the list, we find some basic alphanumeric combinations, such as "abc123" at Number 15, "trustno1" at Number 25, and "jordan23" at Number 27. There are also plenty of choices like "freedom," "dragon," and even "starwars" that attackers could easily crack using a dictionary-based brute force attack. Here are the 25 worst passwords on SplashData's 2017 list:

  1. 123456
  2. Password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou
  11. admin
  12. welcome
  13. monkey
  14. login
  15. abc123
  16. starwars
  17. 123123
  18. dragon
  19. passw0rd
  20. master
  21. hello
  22. freedom
  23. whatever
  24. qazwsx
  25. trustno1
Screen-Shot-2017-12-19-at-3.37.54-PM.png

Moral of the story? Many users can still benefit from practicing better password security. They can learn how to do so by following these experts' advice. Once they have those recommendations figured out, they can consider implementing additional security measures like multi-factor authentication (MFA), which is a key step for implementing one of the Center for Internet Security's (CIS) critical security controls (CSCs). You can learn about all 20 of the CSCs and how they work with Tripwire's solutions by clicking here.

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!