The World’s Worst Passwords List: How Many Do You Have?


When it comes to password hygiene, many of us are still ignoring the basics.

Password management specialist, SplashData has released its eighth ‘Worst Passwords of the Year’ list: a roundup of the most commonly used and easily guessable passwords. The list is based on an evaluation of more than 5 million passwords leaked on the internet (passwords relating to hacks of adult sites are not included!).

It’s estimated that 10 percent of internet users are guilty of using at least one of the top 25 most popular passwords. 3 percent of people use the very worst password: ‘123456’.

Extremely lazy numerical and keyboard ​patterns feature heavily in the list (e.g. ‘qwerty’ and ‘abc123’). Obvious phrases are popular too; prominent examples of this include ‘password’ and ‘iloveyou’.

Celebrity names have always been a popular go-to source of passwords for many hapless users. Combine this with a little bit of social profiling and you’ve got a problem: (tip: LionelMessi10 is never a good choice; doubly so if your Facebook page is full of Barca-related posts).  Along these lines, the US President will doubtless be flattered by this year’s most noteworthy new entry on the list: it seems that ‘donald’ is currently the 23rd most popular password.

The top 25 worst passwords

Here’s the 2018 list (with changes from the previous year’s list)...

1.     123456 (Unchanged)

2.     password (Unchanged)

3.     123456789 (Up 3)

4.     12345678 (Down 1)

5.     12345 (Unchanged)

6.     111111 (New)

7.     1234567 (Up 1)

8.     sunshine (New)

9.     qwerty (Down 5)

10.   iloveyou (Unchanged)

11.   princess (New)

12.   admin (Down 1)

13.   welcome (Down 1)

14.   666666 (New)

15.   abc123 (Unchanged)

16.   football (Down 7)

17.   123123 (Unchanged)

18.   monkey (Down 5)

19.   654321 (New)

20.   !@#$%^&* (New)

21.   charlie (New)

22.   aa123456 (New)

23.   donald (New)

24.   password1 (New)

25.   qwert123 (New)

How a bad password leaves you exposed

The whole point of a password is to put in place a barrier between a hacker and the network, system, device, program or account you want to protect. So the more obvious the password, the weaker that barrier. Here’s a closer look at how you’re exposed…

Beware brute force attacks...

When it comes to system infiltration, you are not simply dealing with an intruder manually trying out different password combinations. You are far more likely to encounter a brute force hacking attempt. With this type of attack, the hacker uses a cracking tool to work through various combinations of usernames and passwords until a combination is found.

There are several common flavours of brute force attack (all of which are made a lot easier where the type of password listed above is used!):

  • Dictionary attack. The hacker works through a long list of possible passwords and tries them all. You can filter this quite substantially by making certain assumptions about the type of user you are targeting.
  • Credential recycling. The attacker gets hold of intel on passwords and usernames from other breaches and uses this data as a basis for a fresh attack of their own. It can often yield results because so many of us are guilty of recycling login details for multiple accounts.
  • Reverse brute force attack. Let’s say that the hacker wants to infiltrate a big company. Of all the users on the network, they take a bet that at least a few of the network users will be dumb or lazy enough to have the likes of ‘123456’ as their password. Drawing from information from the likes of LinkedIn, they attempt to match possible usernames to this popular password.

Time for a password hygiene check?

Obviously, you would never use a ‘qwerty’ type password – and neither would you forget to swap out the factory default logins on your devices and peripherals. But one of the biggest challenges of working in cybersecurity involves policing the behaviour of other users. Ensuring good password hygiene is a big part of this.

Here are some tips for getting it right…

Have a clear policy in place

Typically, this might include the following:

Length and characters. ​We recommend passphrases of 12 mixed type characters. (It takes less than a second to crack ‘123456’; in theory, it takes years to cold crack a 12-character mixed phrase).

An example of a very strong passphrase is "You miss 100% of the shots you don’t take."  With a Massive Cracking Array (Assuming one hundred trillion guesses per second) it would take 3.73 hundred billion trillion trillion trillion trillion centuries to crack.Uniqueness. Where users duplicate identical passwords for multiple tools, a single hack could provide a way into multiple systems. Insist on a different password for each log-in.

Safe password management. Leave it to non-technical users to set their own passwords, and there’s always ‘that guy’ who will lapse into using the type of guessable ​patterns that dominate the SplashData list. With a password manager tool, you can generate secure random passphrases – and organise & store them securely at admin level.

Recommended password managers include;

- LastPass - Most functionality with browser integration but highest attack surface.

- KeePass, KeePassX, KeePassXCModerate Functionality and moderate attack surface. (What's the difference between KeePass, KeePassX and KeePassXC?)

- Master Password App - Least functionality and lowest attacker surface.

Fit-for-purpose authentication: time to look beyond the password...

Let’s say one of your network users is tricked into disclosing a password via a phishing attempt; your assets are exposed no matter how ‘strong’ the password happens to be. Alternatively, let’s say you are hit by a brute force attack; in which case, If the password is poorly hashed, sooner or later, the password is going to be cracked…

You cannot rely solely on passwords to keep your assets safe. 

For one thing, you should be looking at the type of security information and event management (SIEM) tools that can alert you of the fact that someone somewhere may be attempting to pick your locks - i.e. successful and failed logins from unfamiliar endpoints.

Where appropriate, you should also be looking at fitting a double lock on the systems under your watch. We’re talking here about two-factor authentication (2​FA); incorporating a second step in the login process such as a soft token like a ​Time-based One-time Password algorithm such that is offered by Google Authenticator, a ​hardware token, a biometric check or even a SQRL.

Want to find out more about how to get authentication right? Here’s your next step...

The Complete Cyber Security Course (See Volume 2 on authentication)

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Donna says:

    Hi Nathan
    Thank you for your interesting and important information. In terms of password managers, what are you thoughts on 1Password? I first came across this from reading Troy Hunt late last year as a result of first learning about “Have I Been Pwned?” and it’s the first one I’ve ever experienced. Am wondering how it stacks up.

  • Di says:

    Very good. ? I actually seen an advertisement on telle some VPN company trying to reach non tech masses is funny they are showing how easy it is to create a login and their password example is john123 ?

  • Richard says:

    I was surprised to see my password on the list :(

  • Ale says:

    I seem to recall reading somewhere that even password managers could be hacked? Any thoughts on this?

    • Nathan House Nathan House says:

      There is no such things as 100% security. Yes its possible to “hack” password managers especially if they are browser extentions. But its not simple. Using keyloggers to capture the master password is vaiable. But using password managers is less risky than using poor passwords over many sites.

  • cyanohydrax says:

    People encrypted passwords made simple. This is a one page training session that has helped hundreds of users.

    Remembering passwords are complex, but they don’t have to be.
    Example website and password: – login – password I like to use mydoggie – login louislopez67 – password I like to use mydoggie

    Let’s make them people encrypted.

    For Amazon: login make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I like to use. The end of the password I will make up as 1234!.

    When written, I write this in an Excel spreadsheet or black password book.

    website login name password AMAx1234!

    See the little “x” in the password. That is the people part of the encryption. It is not written down anywhere. It’s in my head. The real actual password is AMAmydoggie1234!. If someone finds the excel spreadsheet, it means nothing to the person. If this is in a blackbook and written as AMAx1234!, then that means nothing. The real actual password is not written in its full form anywhere. If an untrusted person should see this password, they will try to login as with a password of AMAx1234! and it will not work.

    Let’s do another one.

    For Bank of America: login make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I like to use. The end of the password I will make up as 1234!.

    When written, I add this to my Excel spreadsheet or black password book.

    website login name password louislopez67 BANx1234!

    See how easy that is. You don’t have to use the first three characters of the company. You could use the first character of each part of the company name like BOA for Bank Of America.

    Let’s do one more to make sure you get it.

    For login make the password the first 3 characters of the company and use uppercase. The middle of the password will be the password I DONT CARE ABOUT. The end of the password I will make up as 1234!.

    When written, I add this to my Excel spreadsheet or black password book.

    website login name password FAKy1234!

    Hey. Wait a minute. What is that “y” I used instead of “x”. Well the reason is because I use an x that means mydoggie for all of my most important financial websites and my main email account related to those financial websites. The “y” is going to be untrusted. Literally “untrusted”. So, the actual password for untrusted websites, I will substitute the letter y in place of the secret. The real password here is FAKuntrusted1234!. Again, in my spreadsheet or black password book, I put FAKy1234!.

    Remember your main recovery email for all financial/bank websites is equally important as the financial site itself.

    If you change your password, simply change the last 4 numbers at the end and update your excel spreadsheet or black password book.


    • Nathan House Nathan House says:

      Use a password manager!

      • Frank Ewout Meijer says:

        1 ring to rule them all? Passwordmanagers and complex generated passwords create postits. Security is not about passwords, but about people. I strongly advise against pwmanagers. If they get that db you are screwed. Also the cloudbased pw managers are a big leap of faith imho.

        • Nathan House Nathan House says:

          You think the alternative of using weak and reused passwords is a solution!?

          Use password managers people, use 2FA. Use SQRL when it’s released.

  • cyanohydrax says:

    How about a super weak password like 1234 and like what Nathan House stated 2FA Google Authenticator or Two factor authentication cell phone. The two factor eliminates hacked databases. If the two factor is not an option. Don’t store any password in any browser. Don’t store passwords in password managers. Don’t write down any password without a human encryption. ABCx1234! is the password you write down. ABCchicken1234! is the actual password. remember the chicken is the “x” and that’s never written down as chicken. Confusing, I know. If your black book was physical or stored in an Excel document, ABCx1234! means nothing to anyone but you. Probably use whatever word you want instead of chicken because of this written article. – Cyanohydrax

  • Alishia says:

    Yes, using the same password everywhere, really, increases the risk of your account being compromised.

  • >