<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

The Worst Passwords of 2017 Are Just as Embarrassing as You Thought

Jeff Edwards| December 21 2017

| security


It’s that time again, where, with the new year ahead, we make resolutions to better ourselves, and look back on the past year and face just how bad we really were….at coming up with strong passwords.

On December 19th password management provider SplashData released the 2017 edition of its “Worst Passwords of the Year” list.

The results? Just as awful as we’ve come to expect.

The list was put together through an analysis of more than five million passwords leaked in 2016’s biggest breaches. We should note that usernames and passwords from Yahoo’s massive 3 billion user breach were not included in the research, as the breach took place in 2013, though full disclosure didn’t come until recently.

The winner of Worst Password of the year is, for the seventh year in a row…. Drumroll please… “123456”!

"That's the kinda thing an idiot would have on his luggage!" 

As in years past, simple, numerical passwords remain the most common, with variations on the count-to-ten theme taking 5 of the top ten spots.

Another classic hit, “password” came in hot in second place.

Sports were also a popular theme, with "football" coming in at number nine, and His Airness showing up twice, with "jordan23" in 27th place and "jordan" in 33rd.

Here are the 25 worst passwords on SplashData’s 2017 list:

  1. 123456
  2. Password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou
  11. admin
  12. welcome
  13. monkey
  14. login
  15. abc123
  16. starwars
  17. 123123
  18. dragon
  19. passw0rd
  20. master
  21. hello
  22. freedom
  23. whatever
  24. qazwsx
  25. trustno1

How can we improve password security?

So there you have it... pretty bad. But we can do better. We have to, if we ever want to stop the deluge of hacks and attacks in the headlines. So how do we fix this?

Here are a few tips:

  • Use longer pass-phrases, where possible. The longer the better. In the past, it was considered a best practice to use special characters, upper-case letters, and numbers, but as it turns out, that was bad advice. The fact is that short, complicated passwords are hard for a human to remember--and easy for a computer to guess. On the other hand, a long, pass-phrase, such as "whyareallofourpasswordssodangawful" is much harder for a computer to guess, but easier for a human being to remember. 
  • Enable multi-factor authentication (MFA). This connects your password with another factor of authentication, usually something you physically have, such as a cell phone. That way, if your password is compromised, you'll be prompted to authenticate on the secondary device when an unknown device tries to access your accounts. 
  • Use a password manager. It's common to have dozens of username and password combinations, and that's just for personal accounts. Add work accounts to the mix, and it can be downright impossible to remember everything, which is why passwords are so often reused. Luckily, there are a variety of free password managers available, which can remember your passwords for you, and even generate and store complex passwords for important accounts. 
  • Don’t use the same password over and over again on different websites. This one's important. Data breaches are so commonplace these days that there are entire databases of login credentials for sale on the dark web. For example, any password you used for LinkedIn prior to 2012, or Yahoo! prior to 2014, is likely compromised. It's imperative to use unique passwords for any account that you don't want hacked. 

We’d like to think that users will follow these tips, but in all likelihood they’ll probably respond with the 23rd worst password, “whatever,”or maybe even password #52 (we’ll let you look that one up on your own).

New call-to-action 

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *


Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.