For the seventh year in a row, password management security company SplashData has scraped password dumps to find the year’s worst passwords. This year’s research was drawn from over five million leaked passwords, not including those on adult sites or from the massive Yahoo email breach. The passwords were mostly held by users in North America and Western Europe.
SplashData estimates that nearly 10 percent of people have used at least one of the 25 worst passwords on this year’s list, and almost 3 percent used the worst password, ‘123456’. ‘Password’ was the second most popular password.
Other numeric passwords that weren’t new to the list were ‘12345678’ in third place, ‘12345’ at number five, and ‘1234567’ in seventh place. But there were some new, more creative (or, you know, not) variations: ‘123456789’ (in sixth place), and ‘123123’ in 17th.
Additional repeat offenders include a handful of very obvious words: ‘qwerty,’ ‘football,’ ‘‘admin,’ ‘welcome,’ ‘login,’ ‘abc123,’ ‘dragon,’ ‘passw0rd,’ and ‘master.’ But there were some new passwords on the top 25 list this year, including ‘letmein,’ ‘iloveyou,’ ‘monkey,’ ‘starwars,’ ‘hello,’ ‘freedom,’ ‘whatever,’ ‘qazwsx’ (from the two left columns on a standard keyboard), and ‘trustno1.’ The new passwords replaced 2016's ‘123456790,’ ‘princess,’ ‘1234,’ ‘solo,’ ‘121212,’ ‘flower,’ ‘sunshine,’ ‘hottie,’ ‘loveme,’ ‘zaq1zaq1,’ and ‘password1.’
Many people wrongly assume that adding a zero instead of the letter O will make their passwords more secure, but, as SplashData CEO Morgan Slain is quick to point out in a press release, “hackers know your tricks, and merely tweaking an easily guessable password does not make it secure.” Additionally, Slain points out that attackers are quick to use common pop culture terms to break into accounts online, in case you thought you were the only Star Wars fan.
Password advice hasn’t changed any more than people’s proclivity for horrible reused passwords, but here’s a quick refresher: think complex pass phrases rather than simple pass words, and create unique passwords for every account. Reusing passwords on multiple accounts leaves all of them vulnerable: if one account is compromised, attackers can test out that password on all of your other accounts. Memorizing unique passwords for dozens of accounts ain’t easy, though, so storing passwords in a password manager will let the tech do the heavy lifting. It won’t just make you more secure, it will simplify your life as the manager can fill password forms for you.
Read more: The Motherboard Guide To Not Getting Hacked
Unfortunately, much of the oft-repeated advice on passwords is often incorrect, including that from login forms complimenting users on their supposedly strong passwords. A 2015 research study from Concordia University showed that strength measurements on password strength meters on popular websites and password managers were highly inconsistent. They may even lead users astray and provide a false sense of confidence, since they rely on length, variety of characters, and sometimes common words or weak patterns, but fail to identify other weak patterns and do not account for replacing letters with similar numerical characters, for example, even though any malicious hacker worth their salt certainly would.
“In our large-scale empirical analysis, it is evident that the commonly-used meters are highly inconsistent, fail to provide coherent feedback, and sometimes provide strength measurements that are blatantly misleading,” the study read.
In addition to using a good passphrase (whether that’s a ≥12-character passphrase with various symbols, letters, and numbers or a seven-word diceware phrase), setting up two-factor authentication on your email accounts is a good idea. 2FA will add an extra layer of security by asking for a second factor in addition to a username and password to prove your identity. As digital freedom non-profit organization Access Now points out, 2FA via SMS has many drawbacks, ranging from shoulder surfing, the possibility of attackers hijacking messages by counterfeiting SIM cards or infiltrating mobile carriers, and the vulnerability of mobile networks themselves. Codes generated on phone apps like Google Authenticator or on a small hardware device like Yubikey are generally better bets than SMS messages.
Having 2FA enabled makes it far more difficult for an attacker to access your account. This is of particular importance on email accounts since malicious actors can typically reset all other passwords from an email account. Having 2FA set up on your email account can stop that—unless the attacker can crack your easy, awful password anyway, that is.
The complete list of the 25 most common passwords this year follows below: