For the second year in a row, "123456" remained the worst password.
The list was put together by SplashData, a company that provides various password management utilities that it compiled the list by analyzing more than five million user records leaked online in 2017.
In its 2017’s Worst Passwords of the Year list, “starwars” joins the list at #16.
“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” said Morgan Slain, CEO of SplashData, Inc. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information, says SplashData. For the fourth consecutive year, “123456” and “password” retain their top two spots on the list. Variations of each, either with extra digits on the numerical string or replacing the “o” with a “0” in “password,” comprise six of the remaining passwords on the list.
“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” says Slain. “Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”
For the second year in a row, football is the only sport to crack the Top 25 -- though it dropped four spots on this year’s list to the #9 spot.
The “loveme” password has been replaced on this year’s list with “iloveyou.” Other new appearances on the list include "letmein", "monkey", “hello”, “freedom”, “whatever” and “trustno1.” One other new entry is “qazwsx” from the two left columns on standard keyboards – demonstrating the importance of avoiding simple patterns.
According to SplashData, the over five million leaked passwords evaluated for the 2017 list were mostly held by users in North America and Western Europe. Passwords leaked from hacks of adult websites and from the Yahoo email breach were not included in the report.
SplashData’s “Worst Passwords of 2017”:
1 - 123456 (rank unchanged since 2016 list)
2 - password (unchanged)
3 - 12345678 (up 1)
4 - qwerty (Up 2)
5 - 12345 (Down 2)
6 - 123456789 (New)
7 - letmein (New)
8 - 1234567 (Unchanged)
9 - football (Down 4)
10 - iloveyou (New)
11 - admin (Up 4)
12 - welcome (Unchanged)
13 - monkey (New)
14 - login (Down 3)
15 - abc123 (Down 1)
16 - starwars (New)
17 - 123123 (New)
18 - dragon (Up 1)
19 - passw0rd (Down 1)
20 - master (Up 1)
21 - hello (New)
22 - freedom (New)
23 - whatever (New)
24 - qazwsx (New)
25 - trustno1 (New)
