Worst Passwords of 2018: Bad Behaviors Continue

January 11, 2019
Gretel Egan

Bad passwords … they are a gateway to account compromise, but users continue to opt for easy-to-remember options rather than creating strong, unique credentials. We've been reviewing SplashData’s annual “Worst Passwords List” for several years, and we've seen too much similarity for comfort from year to year. Though we saw some newcomers to 2018’s rankings, “123456 and password continue their undisputed reign (as they have for eight consecutive years).

Below, we present the top 25 passwords from the past four rankings. The 2018 passwords in red have been in the top 25 at least twice since 2015 (though most of these are third- or even fourth-time offenders). Weve also noted passwords that have not been in the top 25 before. One trend we noted: a resurgence in popularity of some passwords (like 111111 and sunshine) that haven't been among the top ranks since 2015 or 2016.

 Rank

2018

 2017

 2016

2015

 1

123456

123456

 123456

123456

 2

password

password

 password

password

 3

123456789

12345678

 12345

12345678

 4

12345678

qwerty

 12345678

qwerty

 5

12345

12345

 football

12345

 6

111111

123456789

 qwerty

123456789

 7

1234567

letmein

 1234567890

football

 8

sunshine

1234567

 1234567

1234

 9

qwerty

football

 princess

1234567

 10

iloveyou

iloveyou

 1234

baseball

 11

princess

admin

 login

welcome

 12

admin

welcome

 welcome

1234567890

 13

welcome

monkey

 solo

abc123

 14

666666 (new)

login

 abc123

111111

 15

abc123

abc123

 admin

1qaz2wsx

 16

football

starwars

 121212

dragon

 17

123123

123123

 flower

master

 18

monkey

dragon

 passw0rd

monkey

 19

654321 (new)

passw0rd

 dragon

letmein

 20

!@#$%^&* (new)

master

 sunshine

login

 21

charlie (new)

hello 

master

princess

 22

aa123456 (new)

freedom 

hottie

qwertyuiop

 23

donald (new)

whatever 

loveme

solo

 24

password1

qazwsx 

zaq1zaq1

passw0rd

 25

qwerty123 (new)

trustno1 

password1

starwars

SplashData indicated that it analyzed more than five million leaked passwords for this years list, and that most were from users in North America and Western Europe. (The organization did note, however, that exposed passwords from hacks of adult websites were not included in the analysis.) Like last year, 18 of this years top 25 are repeat offenders, and the variety noted in the new entrants show users misguided attempts to add complexity. For example, the seemingly complicated !@#$%^&* is simply the Shift symbols over numbers 1 through 8 on a standard keyboard. 

In speaking about the list, Morgan Slain, SplashData CEO, cautioned, Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations. In fact, its estimated that 10% of people have used at least one of this years 25 worst passwords, and that nearly 3% have used 123456.”

As you consider your comfort level with 10% of your employees using one (or more) of these passwords to safeguard their accounts, you should also consider what youre doing to help move the dial on password hygiene. Instead of chalking these behaviors up to laziness, think instead about how daunting a task it is to create, remember, and manage a stable of complex passwords — a stable that only continues to change and expand  while also being told that you can’t reuse passwords or write anything down.

End users will always be the key to proper application of password best practices, and security awareness training remains the best avenue for influencing behaviors and reducing risk. We recommend making users aware of the importance of good password hygiene; providing interactive training about the techniques they can use to create and remember more complex password constructions; and offering guidance and recommendations about the extra tools (like password managers and multi-factor authentication) that can help them protect their data and yours.