Cyber War

Worst Passwords of 2016: Same Story, Different Year

Share with your network!


Outside of locks and keys (which become more antiquated by the minute), perhaps the most basic of all security safeguards is a password. Unfortunately, it seems that “basic” is as far as many people are going in constructing the passwords that are in place to keep very private — and very valuable — data safe.

We reviewed SplashData’s 2015 edition of its “Worst Passwords List” last year…and it seems not much has changed with its 2016 tallies.


‘123456’ and ‘password’ Top the List for the Sixth Year in a Row

Once again, end users have proven that passwords are low on their list of priorities, with “123456” and “password” sitting atop the ranks of the most commonly used passwords — as they have since SplashData first published the list in 2011.

While the 2015 list compiled data from 2 million passwords that were leaked during that year, the 2016 edition was built from a decidedly larger data sample. SplashData based its most recent rankings on more than 5 million passwords posted or advertised for sale on the internet (mainly from North American and Western European users).

Though there were a fair number of newcomers to the ranks (sports terms mainly vacated the list, for example), complexity is once again a missing link. Here’s a look at the top 25 of 2016 (and how they match up to the 2015 list):



 Change from 2015









 Up 2



 Down 1



 Up 2



 Down 2



 Up 5



 Up 1



 Up 12



 Down 2



 Up 9



 Down 1



 Up 10



 Down 1












 Up 6



 Down 3






 Down 4













With three simple variations of the word “password,” basic number combinations, and many dictionary words in the top 25, it’s not terribly surprising that people (including high-ranking officials) keep finding themselves the victims of unauthorized account access. According to SplashData, more than 10% of people use at least one of the top 25 passwords, and nearly 4% use 123456 as their password.

Oh, and should you be taking comfort in the new entrant, “zaq1zaq1”…well, don’t. Z, A, Q, and 1 are simply the keys in the leftmost column on a standard keyboard. So while this might seem like a unique combination on the surface, it’s a common enough pattern to be used by multiple users.

Three Keys to Fixing the Problem

Organizations need to stop assuming that end users understand the issues surrounding weak passwords and credential reuse. Here are a few tips for improving password security within your organization:

Raise Awareness

Though you may frequently read up on cybersecurity news and events, it’s unlikely your end users do the same. It’s important to communicate about password security issues on a regular basis. Make your employees aware that compromised passwords are being sold online to the highest bidders. Explain the potential ripple effects of password reuse. And let them know that hackers have access to software that can break number-only combinations and dictionary-word passcodes in relatively short order.

Also be mindful of your tone; making employees feel like naughty children will only compound your problem. After all, the average end user likely ranks passwords somewhere on the scale between nuisance and necessary evil. People aren’t using — and reusing — simple passwords to make your life more difficult. They are doing it to make their own lives easier.


We can help you raise end-user awareness.


Provide Education

It’s important to recognize that awareness and training are two separate things; just because you tell your users there is a problem doesn’t mean they will understand how to fix it.

To change behaviors, you need to teach your users how to create passwords that are both effective and memorable. In our Password Security interactive training module, we walk users through methods for building better passwords and allow them to practice creating their own. This type of hands-on learning gets them thinking about why certain techniques are better than others and how they can apply personal elements to password creation without being predictable.  

Think Beyond the Password

Security safeguards like two-factor authentication (2FA) and password managers are becoming more commonplace in business and personal settings. And while end users might be resistant to implementing these new methods, awareness and education can help them see that a little extra effort is worth the added security.

As with other security awareness and training activities, it’s to your benefit to be thoughtful about the way you introduce these safeguards to users. Explain the why and the how, using language that non-technical audiences can understand. If possible, provide reference tools that walk users through the steps they need to take to add 2FA or implement a password manager. (These references are helpful for infosec teams as well, as they can be used during initial rollouts and again in the future with new hires or following a mobile device or PC upgrade.)

It’s also to your benefit to think beyond the confines of your organization and provide advice end users can apply in their home lives. Make some suggestions about places they should add 2FA on personal accounts, and offer advice about password managers that have been well-reviewed, are easy to use, and the types of devices they can be used on (iOS vs. Android vs. desktop, for example).

Overall, the more comfortable your users become — and the more empowered they feel to make good decisions — the more secure their personal and corporate data and systems will become.