Gretel Egan | January 09, 2018

Worst Passwords of 2017: Deja Vu All Over Again

Worst-Passwords-Of-2017.jpgAnother year in the books ... another batch of bad passwords to peruse. We reviewed SplashData’s 2016 and 2015 editions of its “Worst Passwords List” in prior years. When it comes to 2017's rankings, it's possible Yogi Berra's quote, "It's deja vu all over again," has never been more apt. 

(Un)Lucky #7 for ‘123456’ and ‘password’ 

According to SplashData, the Worst Passwords of 2017 was based on more than 5 million passwords that were leaked during 2017. Though the data set was much larger than in earlier years (e.g., 2 million passwords leaked in 2015), results have not changed too much. In fact, “123456” and “password” sit at the top of the heap of the most commonly used passwords for the seventh consecutive year (making them the undisputed champs since the list was first published in 2011).

To shake a little of that "same old, same old" feel, we've changed things up a bit this year. Below, we present the top 25 passwords from the past three rankings. The 2017 passwords in red have been in the top 25 at least twice since 2015 (though the rankings may have changed from year to year).

 Rank

 2017

 2016

2015

 1

123456

 123456

123456

 2

password

 password

password

 3

12345678

 12345

12345678

 4

qwerty

 12345678

qwerty

 5

12345

 football

12345

 6

123456789

 qwerty

123456789

 7

letmein

 1234567890

football

 8

1234567

 1234567

1234

 9

football

 princess

1234567

 10

iloveyou

 1234

baseball

 11

admin

 login

welcome

 12

welcome

 welcome

1234567890

 13

monkey

 solo

abc123

 14

login

 abc123

111111

 15

abc123

 admin

1qaz2wsx

 16

starwars

 121212

dragon

 17

123123

 flower

master

 18

dragon

 passw0rd

monkey

 19

passw0rd

 dragon

letmein

 20

master

 sunshine

login

 21

hello 

master

princess

 22

freedom 

hottie

qwertyuiop

 23

whatever 

loveme

solo

 24

qazwsx 

zaq1zaq1

passw0rd

 25

trustno1 

password1

starwars

As noted, 18 of this year's top 25 are repeat offenders, and "new" dictionary words and simple combinations round out the rest of the group. (Even the seemingly random "qazwsx" isn't random at all; it's the letters from the two left columns on a standard keyboard.) Given these lists, it's no wonder password security continues to be a sore spot for organizations (and governments) at all levels. 

color_bar.png

Check out more tips and articles related to password security.

Raise Awareness of Password Best Practices

color_bar.png

But, you might be wondering, how many of the 5 million leaked passwords are these passwords? SplashData estimates that about 10% of people have used at least one of this year's 25 worst passwords, with nearly 3% using the worst password ("123456"). If we think about that in terms of a 10,000-person organization, that would equate to 1,000 employees and 300 employees, respectively. It's not very comforting to think of 300 email accounts safeguarded by 123456, is it?

As always, end users remain the key factor in application of password best practices. Cybersecurity awareness training is critical to moving the dial. We recommend making users aware of the importance of good password hygiene; providing interactive training about the techniques they can use to create and remember more complex password constructions; and offering guidance and recommendations about the extra tools (like password managers and multi-factor authentication) that can help them protect their data and yours.

 

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now