Worst Passwords of 2015: Another Hall of Shame

Share with your network!

We often hear these phrases from people who shy away from security awareness and training:

Everybody already knows what phishing is!

People know better than to leave their devices unlocked!

Anyone who watches the news understands why they need to be careful online!

People obviously know how to create strong passwords!

Um…time to stop pretending that your users “know better.” Because the worst passwords of 2015 have been revealed, and it’s clear that plenty of people have not gotten the message about even the most basic cyber security safeguards.


‘123456’ and ‘password’ Lead the Pack…for the Fifth Time

SplashData’s 2015 edition of its “Worst Passwords List” has once again highlighted the reality that many people just don’t get — or just don’t care about — implementing password best practices. In a bad rerun that is sure to cause heartburn for infosec professionals everywhere, “123456” and “password” are the two most commonly used passwords — as they have since SplashData first published the list in 2011.

This fifth annual password analysis was compiled from more than 2 million passwords that were leaked in 2015. Though some newbies made the list, many linger like ghosts of breaches past — and all in the top 25 are hauntingly simple. Here’s a look at the list and how the rankings compare with 2014:



 Change from 2014









 Up 1



 Up 1



 Down 2






 Up 3



 Down 1



 Up 2



 Down 2









 Up 1



 Up 1






 Down 7



 Up 2



 Down 6



 Down 6



















The vast majority of entries are either all numbers or all letters — a big no-no in the area of password security. Simple words and phrases again find homes on the list, with new Star Wars flavored entries a weak attempt at Jedi mind tricks. Two new entries — “1qaz2wsx” and “qwertyuiop” — seem promising at first blush…until you realize they are simple keyboard sequences (on standard keyboards, they are the first two columns of main keys and the top row of letter keys, respectively). Although these two passwords and a few other longer newbies (like “1234567890”) have character count on their side, they prove the rule that simple, predictable patterns compromise effectiveness.

Why This Needs to Stop – and How to Fix It

Morgan Slain, CEO of SplashData, said of the list, “We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

Note Slain’s stress on limiting password reuse. Why? Because reuse only compounds the problem.

Consider a combination safe analogy: What if there were five safes in a house, but one simple combination — 1 (L), 2 (R), 3 (L), perhaps — worked on all of them? The same idea applies to electronic accounts. If a fraudster figures out that “monkey” is the password on a user’s Gmail account, the next stops are likely to be Amazon, Facebook, and top banking and retail sites. In relatively short order, that user could be facing hefty credit card charges, empty bank accounts, and more. Criminals can also use account logins to commit warranty fraud, as was the case with a recent scam targeting Fitbit, which was made possible in part by consumers’ reuse of passwords across multiple sites.

You might be saying to yourself, My passwords are in good shape, so this doesn’t apply to me. Well, if you’re still reading, you’re concerned on some level, even it isn’t because of your personal passwords. Maybe you’re part of an information security team for a large organization. Maybe you are a business owner and you’re worried about your employees’ access to your systems. Maybe you’re concerned your parents, kids, or friends are not doing all they should to protect themselves (and, by proxy, your personal data and home network). Whatever your worry, here are some tips for helping to eliminate — or at least limit — the use of “bad” passwords:

  • Implement a password policy – Blackberry took action against weak passwords way back in 2012, banning more than 100 simple passcodes on their devices. If you haven’t taken similar steps in your organization, you should. Technical safeguards can help wipe out basic passwords by requiring users to reach a set number of characters and include a number of capital letters, numbers, and/or symbols in each password.
  • Add two-factor authentication (2FA) – This security safeguard is becoming more commonplace in business and personal settings. Some individuals are resistant to it because it adds an additional barrier to access and it can be perceived as a hassle. However, the additional barrier does offer another layer of security. On the business side, it’s a great idea to implement this on particularly valuable access points and assets (like VPNs, corporate email, back-end website development tools, etc.). On the personal side, 2FA can help safeguard accounts and applications that hold a lot of important data, like email, social media, banking sites, etc.
  • Educate users – If you’ve been shaking your head about SplashData’s reports over the past few years but you’ve never taken the time to share them or explain the problems associated with weak passwords…well, it’s unlikely the top 25 will change that much for many years to come. It’s critical that uninformed users understand the risks and be given the advice they need to learn how to create and manage complex, secure passwords.


How well do your users understand password management? Evaluate their knowledge using our CyberStrength® tool and follow those assessments with our interactive training. We can teach your users how to create secure password families and phrase-based passwords — and help you reduce risk to your organization.