2016’s Worst Passwords Are In, And The Results Are Embarrassing.

worst-passwords-2016It’s that time again, where, with a whole new year’s worth of uncertainty ahead, we collectively look back on the past year and face just how terrible we really were….at coming up with secure passwords.

Last year, SplashData did the dirty work, but this time around it was the security team at password manager Keeper who stepped up to the plate to bring us The Worst Passwords of 2016. The results? Just as terrible as we’ve come to expect.

 The list, culled from more than 10 million passwords that became public through data breaches that happened in 2016, identified the year’s 25 most common passwords, which were:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321
  11. qwertyuiop
  12. mynoob
  13. 123321
  14. 666666
  15. 18atcskd2w
  16. 7777777
  17. 1q2w3e4r
  18. 654321
  19. 555555
  20. 3rjs1la7qe
  21. google
  22. 1q2w3e4r5t
  23. 123qwe
  24. zxcvbnm
  25. 1q2w3e

That’s right, 123456 took the top spot, again. Keeper identified 1.7 million accounts using the perennial favorite—just about 17 percent of the 10 million hacked accounts studied.

“Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads,” says the Keeper team.

“The list of most frequently used passwords has changed little over the past few years,” Keeper wrote in a blog post. “That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.”

So how can we do better in this brave new year of 2017? Keeper offered up a few basic tips:

  1. Use passwords or passphrases of with “a variety of numerical, uppercase lowercase and special characters.”
  2. Avoid dictionary terms. Using simple words can open you up to dictionary cracks, which test common passphrases such as those found in Keeper’s list, then move through the whole dictionary, says Keeper.
  3. Use a password manager.

Here are a few additional obvious tips that I would add:

  • Avoid using the same password over and over again on different websites
  • And, for god sake, enable two-factor authentication where ever possible.

Check out Keeper’s full study here for additional results and analysis.

Follow Jeff

Jeff Edwards

Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff