Another day, another site demanding that you make a new account to view its content. And that means another new password to come up with.
Sure, you could use the same password you used on the last site that put you through this.
But you’ve heard that that’s not a good idea, so you try to come up with something unique.
A string of random characters, a few unrelated words, a bizarre phrase… whatever you choose, we commend you.
That’s because you’ve avoided using any of the web’s most popular passwords.
These passwords may win the popularity contest, but they completely flunk the security test. Lazy, easy-to-guess and just plain terrible, they’re so insecure you might as well not have a password at all.
If a hacker tries to steal your accounts, these will be the first passwords he tries. Don’t make his job any easier — avoid these popular passwords at all costs!
Instead, follow our best password practices and hacker-proof your online presence. A few minutes now will save you hours of headaches in the future.
The Most Popular Passwords
Various organizations publish annual lists of the most common (that is, worst) passwords.
For the most part, these lists are pretty predictable. And that serves to illustrate their point: anyone could guess these passwords.
Here are three of these lists and the methodologies used to compile them.
If your password is on them, go change it immediately to literally anything else. Then come back, read our password security guide and learn how to truly secure your login details.
SplashData’s 100 Worst Passwords of 2018
Every year, SplashData, a company that makes password managers, publishes a list of the 100 most popular passwords.
The accompanying statistics are a little terrifying: around 10% of people have used one of the 25 worst passwords. 3% have used the #1 worst password — astonishing and unbelievably dangerous.
SplashData compiled the list by analyzing the millions of passwords that were leaked in data breaches.
They certainly had plenty to work with: in 2018, 446.52 million records were leaked in the USA alone.
Let’s take a look at the 25 worst passwords on SplashData’s 2018 list:
1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou
11. princess
12. admin
13. welcome
14. 666666
15. abc123
16. football
17. 123123
18. monkey
19. 654321
20. !@#$%^&*
21. charlie
22. aa123456
23. donald
24. password1
25. qwerty123
Analyzing SplashData’s Worst Passwords
There are a few clear trends here: rows of keys (qwerty, 123456, !@#$%^&*) make for easy entry, no doubt.
A couple of variations (12345678, qwerty123, aa123456) are clearly designed to appease the 8-character minimum imposed by many websites.
We’ve also got the ever-present default passwords: password, admin, welcome. Laziness or ignorance has prevented millions of people from changing their passwords from their default states — yikes!
Evidently, some folks change their password to a simple word or phrase (monkey, football, iloveyou) and think that’s enough.
Obviously it’s not, as millions of others had the exact same idea.
And we appear to have a couple of real names (donald, charlie) and pet names (sunshine, princess) in wide circulation as well.
The only real surprise is the new addition of 666666. A sign of the devil rising, a reflection of the population’s disdain for the state of the world — or, more likely, mere laziness.
SplashData’s full list of the 100 worst passwords reveals some other interesting trends.
More common names (daniel, joshua, hannah, thomas, jessica, george) populate the top 50. Other names sound like they may belong to beloved pets: shadow, buster, bailey, ginger, tigger and harley make the list, too.
Some popular passwords indicate exasperation with the concept of passwords: letmein, blahblah, whatever, trustno1, biteme.
A few are meager riffs on other common passwords: querty, 1qaz2wsx, zaq1zaq1.
Years (1991, 1990, 1989), cars (mercedes, corvette, ferrari), sports (baseball, lakers, maverick, liverpool, hockey) and a few wild cards (starwars, cheese, killer, pussy) round out the top 100.
The National Cyber Security Centre’s List of 2019’s Worst Passwords
The UK’s National Cyber Security Centre (NCSC) collaborated with Troy Hunt of breach database HaveIBeenPwned to compile a list of 2019’s most common passwords.
HaveIBeenPwned’s collection of leaked passwords covers over 100 million passwords. There are over 23 million instances of the password 123456 in that collection!
After analyzing all those passwords, the NCSC came up with a list of the top 100,000 common passwords (TXT file link). But we’ll just share the top 20 with you now.
1. 123456
2. 123456789
3. qwerty
4. password
5. 1111111
6. 12345678
7. abc123
8. 1234567
9. password1
10. 12345
11. 1234567890
12. 123123
13. 000000
14. iloveyou
15. 1234
16. 1q2w3e4r5t
17. qwertyuiop
18. 123
19. monkey
20. dragon
Analysing the NCSC’s 20 Worst Passwords
This is the most recent list of common passwords out there. And it just goes to show that we haven’t gotten any better about our use of bad passwords.
Variations on qwerty and 123456 make up the bulk of this list. Old habits die hard, apparently.
Surprisingly, there are a few super-short passwords, too: 123, 1234 and 12345.
Even the least secure websites usually require at least six characters for passwords. So the prevalence of these three-, four- and five-digit ones is quite shocking.
It’s evidence that it’s not just users who are perpetuating bad passwords — it’s websites, too.
Other than password, qwerty and their ilk, the only non-numeric passwords here are iloveyou, monkey and dragon. Dragon is a little unexpected, with nearly 1 million appearances on HaveIBeenPwned.
Nerdy enough to use “dragon” as a password, not nerdy enough to know that that’s a bad idea.
Interesting, but dangerous nonetheless. A real dragon might pose less of a threat than this password!
Keeper’s 25 Most Common Passwords of 2016
Password manager Keeper’s list of common passwords is from a few years ago. It was compiled back in 2016 from over 10 million of that year’s leaked passwords.
But it still illuminates a lot about our password choices and habit, plus some very interesting bot activity.
These 25 passwords comprised over 50% of the 10 million+ leaked passwords (PDF link).
The #1 password comprised nearly 17% of those 10 million — absolutely jaw-dropping.
So, without further ado… Keeper’s 25 most common passwords.
1. 123456
2. 123456789
3. qwerty
4. 12345678
5. 111111
6. 1234567890
7. 1234567
8. password
9. 123123
10. 987654321
11. qwertyuiop
12. mynoob
13. 123321
14. 666666
15. 18atcskd2w
16. 7777777
17. 1q2w3e4r
18. 654321
19. 555555
20. 3rjs1la7qe
21. google
22. 1q2w3e4r5t
23. 123qwe
24. zxcvbnm
25. 1q2w3e
Analyzing Keeper’s Worst Passwords
As on the other lists, 123456 takes first place. Other, longer variations (123456789, 12345567890, 987654321) are also present — again, likely due to 8-character minimums.
Once again, password and qwerty assume two of the top spots.
The latter has a few interesting yet equally insecure mutations as well: qwertyuiop, 1q2w3e4r, 1q2w3e4r5t and bottom-row counterpart zxcvbnm.
Devilishly stupid 666666 is joined by fellow long-presses 111111, 555555 and 7777777. We’ve got to hand it to that last one — at least there’s 7 of them!
A couple of these — google, mynoob — would be funny if they weren’t so awful.
But what about oddballs 3rjs1la7qe and 18atcskd2w? Those don’t follow any apparent pattern and seem more secure than the rest of these passwords, so what gives?
According to cybersecurity expert Graham Cluley, these two passwords are commonly used by bots to set up spam emails.
Automated software creates account after account on free email sites, using the same password for efficiency’s sake. These dummy accounts are then used to send phishing or spam emails.
And when those email providers got hacked, the thousands of bot accounts using those two passwords were included in the leak.
It goes to show how many bot emails are out there — enough for them to make Keeper’s worst password list.
Best Password Practices
We hope it’s obvious that you should never use any of the passwords on the above lists.
They’ll be the first ones automated hacking bots try when attempting to access your accounts. But they won’t stop there.
It’s critical that you engage in these best practices when creating passwords. Failing to follow them could very well result in account lockouts, compromised data and even identity theft.
Avoid Dictionary Words and Other Common Passwords
Once a hacker goes through the most common “123456”-type passwords, it’s time to try a dictionary attack.
Dictionary attacks enter common words, names, places and dates into the password field rapidly. There are tens of thousands of these, but for an automated program, the process takes mere minutes.
That means that your kid’s birthdate, your favorite vacation spot and that random word you picked out of the dictionary are almost as insecure as “qwerty” is.
And no, combining your kid’s birthdate with her name doesn’t help.
Adding two common passwords together doesn’t result in one secure password. Hackers are sophisticated enough to easily crack such “combination” passwords.
But as we’re about to see, that doesn’t mean that your passwords need to be impossible to memorize.
Use Long Passwords (Even If They’re Simple)
Your password doesn’t even need to make sense for it to be highly crackable. It could be total gibberish and still be compromised in the blink of an eye.
That’s because when it comes to password cracking, length is what really makes a difference.
An average desktop computer with a decent GPU could crack an 8-digit alphanumeric (uppercase and lowercase) password in around 5 days.
But most hackers have more gear than that. And that additional gear reduces password cracking times significantly.
Any ten-digit alphanumeric (uppercase and lowercase) password could take an experienced hacker just 2 hours to crack. Replace one digit with a special character and you buy yourself a week — but that’s it.
But increase that password to 11 digits (without special characters) and it’ll take six days to crack. And if one of those 11 digits is a special character, you’re looking at a two-year crack time!
Now bump that password up to 12 digits with a special character. It’ll take 64 years to crack — that hacker might not even be alive by the time the crack succeeds!
And that’s all assuming that the hacker is using top-of-the-line equipment or harnessing the power of a botnet. It’ll take an average Joe hundreds of times longer to perform those operations.
Believe it or not, the 24-character “#MyCatsnameisFluffy$1314” is 95 times stronger than the 23-character “g*45HU@$cjg04L%snf8&n5F”!
It’s both more memorable and more secure than the gibberish password, thanks to that one extra digit.
You should still try not to use common “dictionary attack” passwords as we discussed previously.
But more importantly, make your passwords long — 16 characters or longer is ideal.
Ignore “Password Strength” Meters
Those little meters next to password fields that gauge your password strength?
They’re pointless.
A site may describe an eight-character alphanumeric password as secure, but as we’ve seen, it’s really not.
Many sites require passwords to be 8-16 characters and contain numbers, lowercase and uppercase letters and, occasionally, a special character.
But eight characters isn’t secure enough even with a special character in there.
Special characters should always be allowed.
And 16 characters should really be the minimum length, not the maximum. There shouldn’t even be a maximum length!
Bottom line: websites maintain these requirements to appease lazy or unaware users who don’t want to create longer passwords. Don’t fall for their false assurances of security.
Always make your password as long as you can and use all types of allowed characters multiple times.
And if you’re up for it, contact the sites you see with these subpar password requirements and encourage them to change.
Send them a link to this article or some of the stats we’ve referenced if they need more convincing!
Enable Two-Factor Authentication
Some sites and apps are beginning to implement two-factor authentication. You may have seen it on Google, Facebook or your banking website.
Basically, two-factor authentication supplements your password with another authentication step before letting you into your account.
You’ll still need your password, but that alone won’t be enough to access your account.
When you break it down, there are three forms of authentication: something you know, something you have and something you are.
Your password counts as “something you know”. Two-factor authentication bring one of the other two types into play.
“Something you have” is generally another device, like your smartphone.
You enter your password, then the website sends a push notification or SMS to your phone with a verification code.
In order to proceed, you need to enter that code into the website. That way, if someone knows your password but doesn’t have your phone, they’re out of luck.
Other things that count as “something you have” include apps like Google Authenticator and special USB keys like YubiKey.
What about “something you are?” Well, fingerprint and face IDs are increasingly common.
Even if someone has your password, they’re screwed without your fingerprint or face, which only you possess. That’s “something you are” if ever there was one!
So combine your password with a fingerprint, facial recognition, a phone or another device and voila! You’re two-factor authenticated, and all the more secure for it.
We recommend enabling two-factor authentication whenever possible. More and more sites are supporting it, and it’s only a matter of time before it becomes the norm.
Monitor the Internet for Password Leaks
Good news: current recommendations from the National Institute of Standards and Technology don’t require or even suggest regular password changes. Once a year is still wise, but not strictly necessary.
But if your password gets leaked in a data breach, you’ll need to change it immediately.
Companies are supposed to notify consumers promptly of any data breaches. But if your contact info with that company is outdated, you might not get that notification.
That’s why it’s important to check sites like HaveIBeenPwned regularly. Enter your email address and you’ll find out if any of your accounts have had their passwords leaked.
If you do show up on the leak list, change the affected password immediately.
For automatic leak alerts, services like Norton Dark Web Monitoring and Avast Hack Check do the legwork for you and email you if your password is leaked.
Chrome and Firefox also now have similar features built in.
Don’t Reuse Passwords
We know it’s tough to remember tons of different passwords for every site you use. The temptation to use the same password on multiple sites is strong.
If you do it, you’re not alone: 61% of internet users reuse their passwords on more than one site.
But if one of those sites gets hacked and your password is exposed, the hacker has access to all your other accounts as well. Password reuse has the potential to cause damage far beyond one individual site.
At an absolute minimum, use a different password for your email account than for other sites. If your email is hacked, all of your other accounts will go down with it.
That’s because with access to your email, a hacker can perform password resets on other sites.
The same goes for other sites that contain sensitive information. Each banking site, social media site and online retail site must have its own password.
But really, every site should have a different password whether or not it contains sensitive data.
And as we’ll see in the next step, that’s nowhere near as difficult as it sounds.
Use a Password Manager
Remembering hundreds of unique passwords would take a ridiculous amount of brainpower. But with a password manager, you only need to remember one.
A password manager encrypts and stores all of your passwords for all of your sites and apps.
It then autofills them when needed. Many do the same for credit cards and other data, too.
Just enter your master password (which should be as long and strong as possible) and you’re good to go.
You don’t have to remember which password you used on which site. The password manager takes care of everything.
Password managers sync across all your devices, so you can log on no matter where you are. They’re infinitely more secure and versatile than the “remember my password” button in your browser.
We highly recommend starting with a free password manager like Bitwarden, KeePassXC or LastPass. They’re packed with features and super-easy to set up.
Then, if you’re still hungry for more features, you can upgrade to the premium version of your chosen password manager. Or try a paid password manager like 1Password or Keeper if you’re curious.
Our Last Words on Passwords
From abc123 to zxcvbnm, the most popular passwords are also the most vulnerable.
We wouldn’t touch them with a 50 foot ethernet cable — and neither should you!
It’s time to get wise about password security. And, really, it’s not that hard.
Stay away from obvious passwords, make yours as long as you can and supplement them with two-factor authentication. Then box it all up in a trusty password manager and say sayonara to password thieves!
Because trust us: this is one popularity contest you don’t want to win.
Final Thoughts
Millions of internet users still rely on terrible passwords: 123456, qwerty and, of course, password. But creating long, strong, memorable passwords is easier than you think!
