'123456' and 'Password' top SplashData's annual list of worst passwords again

For 2017, the world's most-hacked password is still '123456', followed by 'Password'.
For 2017, the world's most-hacked password is still '123456', followed by 'Password'.PHOTO: THE NEW PAPER

WASHINGTON - After reviewing five million passwords leaked in 2017, password management company SplashData has released this year's list of the most insecure passwords.

For 2017, the world's most-hacked password is still "123456", followed by "Password". Between them, these two passwords have retained their top two spots on the top 100 Worst Passwords of the Year ranking since 2011.

SplashData estimates almost 10 per cent of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3 per cent of people have used the worst password, 123456.

This year, Star Wars found its way onto the list as well, with 'starwars' claiming the 16th spot.

"Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, 'starwars' is a dangerous password to use," said Morgan Slain, CEO of SplashData, Inc.

"Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words."

This is not the first time Star Wars has appeared on the list. The 2015 edition also included "starwars," down in the No. 25 slot.

The rise of Star Wars passwords coincides with the years that have featured big movie openings from the main branch of the franchise, including 2015's "The Force Awakens" and 2017's "The Last Jedi".

Tweaking common words by adding a number or swapping the letter "o" with the number "0"do not make your password secure, says SplashData, a company that creates applications for password management and security.


The popularity and simplicity of those passwords pose risks for those who use them, it said.

"Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure," said Slain in a news release released on Dec 19.

"Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online."

Strong, effective passwords should be relatively long and unique, experts told New York Times.

They can be meaningless strings of characters, numbers and punctuation or, as has become popular in recent years, full sentences that are easy to remember but hard to guess.

While the SplashData list differs from those compiled by others, it reflects a theme common to such analyses: People often use strings of sequential numbers as their passwords.

As in 2016, "123456" led the SplashData list. The slightly more complex "12345678" ranked third and "12345" was fifth, followed by "123456789" in sixth place and "1234567" in eighth.

It is important never to use the same password twice and to make sure you change passwords regularly, once per quarter, for example.

Here is the list of this year's top 20 worst passwords.

1. 123456

2. password

3. 12345678

4. qwerty

5. 12345

6. 123456789

7. letmein

8. 1234567

9. football

10. iloveyou

11. admin

12. welcome

13. monkey

14. login

15. abc123

16. starwars

17. 123123

18. dragon

19. passw0rd

20. master

21. hello

22. freedom

23. whatever

24. qazwsx

25. trustno1

The full list is available here