For some reason, many web surfers accessing the internet don’t appear to be listening. Despite warnings by experts and countless reports of hacking, identity theft, online fraud, and more, there are people still using “123456” as a password. That simple sequence of numbers reigns king on the new top 100 worst passwords list of 2017.
According to numbers provided by SplashData, the use of “123456” as the No. 1 bad password hasn’t changed in years. The firm provides its list of the top 100 worst passwords each year, and shows that “123456” officially unseated “password” from the top spot in 2013. Since then, 123456 remains at the top of the list followed by “password” and several other common words and numbers.
California-based SplashData provides security applications and services, including its SplashID Personal Password Manager, and its TeamsID Business Password Manager. The firm releases its annual list to encourage internet surfers to use stronger passwords. The firm’s data supposedly derives from millions of leaked passwords discovered throughout the year.
Here are the top 10 worst passwords used on the internet starting from SplashData’s very first report in 2011:
| 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | |
| 1 | password | password | 123456 | 123456 | 123456 | 123456 | 123456 |
| 2 | 123456 | 123456 | password | password | password | password | password |
| 3 | 12345678 | 12345678 | 12345678 | 12345 | 12345678 | 12345 | 12345678 |
| 4 | qwerty | abc123 | qwerty | 12345678 | qwerty | 12345678 | qwerty |
| 5 | abc123 | qwerty | abc123 | qwerty | 12345 | football | 12345 |
| 6 | monkey | monkey | 123456789 | 123456789 | 123456789 | qwerty | 123456789 |
| 7 | 1234567 | letmein | 111111 | 1234 | football | 1234567890 | letmein |
| 8 | letmein | dragon | 1234567 | baseball | 1234 | 1234567 | 1234567 |
| 9 | trustnot | 111111 | Iloveyou | dragon | 1234567 | princess | football |
| 10 | dragon | baseball | adobe123 | football | baseball | 1234 | iloveyou |
As the chart shows, “password” and “123456” are locked in a heated battle for the top spot. “12345” and “12345678” fight for third place while “qwerty” and “12345678” battle for the fourth position. One of the troubling factors is that the top 10 consist of similar words and strings of numbers over the last seven years, including “football,” “baseball,” dragon,” and “iloveyou.”
But SplashData’s annual reports don’t mean everyone on the planet is using these passwords. The company is merely pointing out bad password use in hopes that future lists will eventually wither and die. But given that these words and number strings are pulled from millions of leaked passwords each year, you can see why hackers are having a field day breaking into online accounts.
Most major websites now demand passwords consisting of upper and lower-case letters, numbers, and symbols of a specific length (character count). They even offer two-step authentication that requires a mobile device to authorize logins. But as the lists shown above illustrate, the top bad passwords consist of all letters or all numbers.
Moreover, security experts will warn that you shouldn’t use passwords that are directly related to your life, such as using your birthday, favorite movie, child’s name, and so on. Passwords should essentially be phrases that mean absolutely nothing, but can be easily remembered. “Sciss0rzCutzCh1ck0nz” could be a tough nut to crack.
Of course, using a password manager like LastPass or 1Password to handle all your accounts and passwords is an ideal security strategy as well. These services are subscription-based but eliminate the need to manage multiple passwords for multiple accounts.
