For the eighth year in a row, password management security company SplashData has scraped password dumps to find the worst passwords of the year. The company evaluated more than 5 million passwords leaked on the internet, excluding hacks of adult websites. This year, 'donald' has moved into the list of top 25 passwords, presumably a reference to President Donald Trump.
Sure enough, the bad passwords of 2018 looked much like the bad passwords of 2017. The top two slots were unchanged: “123456” and “password” remained in first and second place. And like last year, SplashData estimated that almost 3 percent of people have used the worst password, and nearly 10 percent used one of the top 25 worst passwords.
Additional repeat offenders epitomized predictability. They included ‘123456789,’ ‘12345678,’ ‘12345,’ ‘1234567,’ ‘qwerty,’ ‘iloveyou,’ ‘admin,’ ‘welcome,’ ‘abc123,’ ‘football,’ ‘123123,’ and ‘monkey.’
But there were some changes on this year’s list… primarily numeric strings and such, but also “sunshine” (#8), princess (#11), charlie (#21) and donald (#23). Other new passwords this year were ‘111111,’ ‘666666,’ ‘654321,’ ‘!@#$%^&,’ ‘aa123456,’ ‘password1’ and ‘qwerty123.’ These replaced last years’ ‘letmein,’ ‘login,’ ‘starwars,’ ‘dragon,’ ‘passw0rd,’ ‘master,’ ‘hello,’ ‘freedom,’ ‘whatever,’ ‘qaxwsx,’ and ‘trustno1.’
SpashData, Inc. CEO Morgan Slain, who was unsure who ‘Charlie’ was, said the biggest surprise was how slowly people’s behavior is changing as far as bad passwords go. “One of the reasons that we put this list out every year is to keep highlighting, ‘hey everybody you’re putting yourself at risk by using these familiar, weaker passwords over and over again,” he said.
It seems surprising in this day and age that sites would even allow passwords with all-lowercase letters and no numbers or symbols.
“Often these leaked passwords are from sites that have by definition weaker security, so either they don’t have those restrictions in place or maybe they’re an older site and these are older passwords,” said Slain. “It could be one or the other or both: weak security on the website or grandfathered-in old passwords that have never been changed based on the old policies. We hope that most robust sites and more recent sites would require stronger passwords, but they don’t always.”
Last year, people tweaked the password “password” by adding a zero instead of the letter O. This year, users seem to have gone full nihilist and didn’t even attempt this (useless) tweak.
Password advice hasn’t changed any more than people’s proclivity for awful, predictable passwords, but we’ll repeat it again: use unique passphrases for each account (so if one is hacked, you only have to change that password instead of 50 of them), and use a password manager to generate and store your passwords. Setting up two-factor authentication, especially when it’s generated on a phone app like Google Authenticator or on a small hardware device like Yubikey, can add an extra layer of security.
The complete list of the 25 most common passwords SplashData found this year follows below: