Easy as 123456

Good news! People are still astonishingly bad at picking secure passwords, and if you run your fingers across the top row of your keyboard, you will probably type seven of the 15 most-used passwords at once.

When we say “good news”, we mean “good news for people who want to break into password-protected accounts”, of course. If you are one of the people with a bad password, that is very bad news indeed.

Password management firm SplashData has compiled more than 2m passwords leaked over the course of 2015, to find the 25 worst passwords – those used by the most people at the same time.

Topping the list for yet another year is the gold standard of awful passwords, 123456, while hot on its heels is perhaps the only password worse still: password. Rounding out the top 10 passwords are five further variations on a theme (12345678, 12345, 123456789, 1234 and 1234567), as well as one from the next row of keys on the keyboard (qwerty) and two from spectacularly unimaginative people with hobbies (“football” and “baseball”).

Of course, there will always be some passwords which are the most used passwords. But let this be a lesson to you: if your password appears on this list, you should probably change it, now.

Worst Passwords of 2015

1) 123456

2) password

3) 12345678

4) qwerty

5) 12345

6) 123456789

7) football

8) 1234

9) 1234567

10) baseball

11) welcome

12) 1234567890

13) abc123

14) 111111

15) 1qaz2wsx

16) dragon

17) master

18) monkey

19) letmein

20) login

21) princess

22) qwertyuiop

23) solo

24) passw0rd

25) starwars

SplashData’s advice to users who find out that their passwords are sub-par is simple enough: use long passwords, which are different for every website, and – most importantly – don’t limit yourself to passwords you can remember. Instead, use a password manager, such as LastPass, 1Password, or SplashData’s own SplashID, to store the passwords securely.

But Brian Spector, the chief executive of security firm Miracl, argues that the list is yet more evidence that passwords are broken altogether. “Sadly, even though many people are now using a combination of letters and numbers, or substituting numbers for letters, passwords can’t protect your personal information or data.”

“The IT industry needs to get over passwords. They don’t scale for users, they don’t protect the service itself and they are vulnerable to myriad attacks.” Instead, he argues for new approaches which combine two-factor authentication (using a mobile phone in addition to a password to verify identity to a website) with biometric data and other proof of ID, to remove many of the threats that currently affect only security.