25 Worst Passwords of 2017

By Michael Lasky

These past two years have been particularly devastating for data security, with a number of well publicized hacks, attacks, ransoms, and even extortion attempts. Millions of records have been stolen. Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information,” Slain notes.

Here are the top 25 most-hacked passwords, by rank, password and whether or not their position on the chart has changed from 2016. You’ll note that numbers one and two are still reigning champs.

Presenting SplashData’s “Worst Passwords of 2017”:

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)

And yours truly must confess to having tweaked a ridiculously simple password in the naïve belief that I was making it “more secure.” This password, which I no longer use, is #19 on the worst list: passw0rd.

Yeah, I figured – and so apparently did thousands of others—that by changing the letter O in password to a zero would make it foolproof. (There is no proof to that assumption, and I apparently was the fool. Pun intended.)

So how did SplashData determine the worst passwords? It evaluated over five million leaked passwords and looked for patterns.

The company estimates that almost 10% of people have used at least one of the 25 worst passwords on this year’s list. When it drilled down to particular passwords, about 3% have used the worst password, 123456.

Although only the top 25 worst passwords are highlighted, there is a full list of Top 100 Worst Passwords 2017 and it can be found here.

Tips on Transforming Bad Passwords into Good Ones

It’s all well and good that SplashData compiles the annual worst password lists which shows off our bad habits, but do they have any advice to change our password behavior?

The company’s security experts do offer three tips to safer passwords:

  1. Use passphrases of 12 characters or more mixed with upper and lower case and letters and numbers.
  2. Use different passwords for each of your website logins. This is essential because if a hacker gets one password they will try using it to access other sites.
  3. Use a password manager to organize passwords, generate random ones, and automatically log into websites. While the worst passwords list may seem a tad self-serving since SplashID, Gpass and TeamsID are SplashData’s password management apps, there are now a slew of other similar apps as well (see below) and using a password manager is justifiably good advice – and offers convenience to you as well.

Wait a minute: 12 character passwords? That’s seem a bit much and if that’s the route we have to take to be safe, then password managers would seem to be essential since they automatically login to websites instead of us manually typing in 12 characters.

And, yes, with the unnerving prospect of 12 character passphrases or all the different shorter ones at all the sites we visit, there are also a few password tricks for the memory-limited to even get around to signing on to password managers. But first …

A Quick Guide to Password Managers

As Lance Whitney pointed out last March, “Password managers may not be the perfect solution, but they’re far better than the alternative of using simple passwords or using the same password at every website. Until the industry is able to offer a truly superior and secure website login method, password managers are your best bet”.

His review of the pros and cons of password managers covers four of the most popular apps, Dashlane, LastPass, 1Password, and RoboForm. Add to this the aforementioned SplashID. While they all will automatically login to sites you visit, each has a host of extra features such as saving credit card information and handling form filling such as addresses, phone numbers, and other personal data. All are locked with one master password (the only one you have to remember so write it down just in case).

I have been devoted to LastPass for years on my PC and mobile devices, loading it in each of the browsers I use as an extension or plug-in.

If you are hesitant to sign on to yet another browser add-on, check out my August 1, 2017 coverage of Windows 10 password alternatives [link] which includes fingerprints, facial recognition, and for touchscreens, pattern drawing in lieu of a password.

Another Way to Create Easy to Remember Passwords

Speaking of patterns, here is a method for devising different passwords for each site you visit that are easier to remember. Create a boilerplate phrase of 10 lower and up case letters. You will use this as the beginning of each passphrase. Then as you visit a website which requires a login, enter your boilerplate phrase and add three or four characters unique to that site perhaps using the characters in the site’s name.

For example, say you are entering an account at bookstore.com. You would enter your boilerplate phrase such as Sample$Coin as the beginning of your password for this site and add the extra mnemonic three or four characters unique for this site, such as BooK. So the password for bookstore.com would be Sample$CoinBook. Accordingly the only part of the password unique for this site would be the Book.

At Amazon.com it might change to Sample$CoinAmaZ or sometime like that. All you would need to remember if the AmaZ part since the boilerplate beginning stays the same. Of course if you then use a password manager it will remember each of these and auto log you in after the first instance.

While this method might seemingly contradict the rule for not using the same or altered passphrase at each site, the combination of the boilerplate and the additional characters unique to each site, especially with adding upper and lowercase and special symbol characters, should keep the hackers guessing ad infinitum.

Of course for banking and health account enabling two-factor authentication, as Google does for its accounts, is the safest routine. You enter your password and then receive a text or voice message with an instant one-time code to get connected. Text is best for cellphones and voice for landlines.

To end with a laugh, I love repeating the advice offered by Mad Magazine. How about making your password Password Incorrect. If anyone tried to break into your account they will keep getting a Password Incorrect message.