The Worst Password of the Year Award Goes to…

The Worst Password of the Year Award Goes to…

Every year, a list of the most commonly used passwords is released and, every year, it looks a bit…similar. Despite a hair-raising number of data breaches and cybercrimes in 2017, people still choose lazy cybersecurity over difficult-to-guess passwords.

Ok, time to get to this year’s winner — drumroll, please. The most popular password of 2017 was… “12345.” The next most popular password was “password.” This classic pair of easily guessable passwords are the reigning champs of the worst password list and it doesn’t look like they’re going to give up that position anytime soon.

The “worst password list,” released annually by SplashData, is calculated from more than five million stolen passwords found online in North America and Europe. Morgan Slain, CEO of SplashData, says his firm doesn’t buy or decrypt any lists of stolen credentials but scrapes them from online lists. 

Some of the newer passwords popping up in this year’s list include the highly original “starwars,” “123456789,” and “iloveyou.” Star Wars may be a great movie franchise but it’s an incredibly weak password.     

Slain shares our concerns:

"Over time, people still don't seem to be adopting better password hygiene. This [list] is to encourage people to take passwords more seriously and realize how sharing passwords or using the same one can expose you to risk."

A noticeable trend among the list is that many of the passwords are interest-based, making it easier for cybercriminals to guess what it is. For example, if you’re posting on social media about the new Star Wars movie, it’s not out of the realm of possibility that criminals guess your password is “starwars.”

According to SplashData, about 10% of web users have employed at least one of the top 25 worst passwords on the 2017 list, with 3% having chosen the infamous number one password, "123456." 

SplashData offers password tips to protect yourself from hackers online: 

  1. Use passphrases of twelve characters or more with mixed types of characters including upper and lower cases. 
  2. Use a different password for each of your website logins. If a hacker gets your password they will try to access other sites with it. 
  3. Protect your assets and personal identity by using a password manager, like LastPass, to organize login credentials, generate secure random passwords, and automatically log into websites.

The 25 Worst Passwords of 2017

We believe that our readers are smarter than the average Joe when it comes to cybersecurity. Below is the complete list of 2017’s worst passwords and while we’re sure none of your passwords made the list, go ahead and double check your accounts against them to ensure your online accounts are difficult for criminals to access in 2018.  

1 - 123456 (rank unchanged since 2016 list) 
2 - password (unchanged) 
3 - 12345678 (up 1) 
4 - qwerty (Up 2) 
5 - 12345 (Down 2) 
6 - 123456789 (New) 
7 - letmein (New) 
8 - 1234567 (Unchanged) 
9 - football (Down 4) 
10 - iloveyou (New) 
11 - admin (Up 4) 
12 - welcome (Unchanged) 
13 - monkey (New) 
14 - login (Down 3) 
15 - abc123 (Down 1) 
16 - starwars (New) 
17 - 123123 (New) 
18 - dragon (Up 1) 
19 - passw0rd (Down 1) 
20 - master (Up 1) 
21 - hello (New) 
22 - freedom (New) 
23 - whatever (New) 
24 - qazwsx (New) 
25 - trustno1 (New)