The Most Popular Bad Passwords of 2017

Weak passwords hurt us all

Every year, we are inundated with a series of hacks that remind us of the importance of strong passwords. And yet, at the end of every year, we also see new data that proves a vast majority of people just don’t care about security.

Why do these hacks keep occurring? Bad passwords play a major part. Enterprise password manager SplashData has again released a study detailing the world’s most popular passwords, as revealed by hacked and leaked databases of passwords (in addition to gauging popularity, it also noted whether a particular password was new to the list). In a sad twist, many of these codes are beyond simple.

Yet again, the worst offenders are ‘123456’ and ‘password.’ We’ll chalk those up to lazy IT management and even lazier workers. They smack of starter passwords given to new hires, who sometimes fail to upgrade to something more secure.

If you need a giggle, here are the top ten:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. letmein
8. 1234567
9. football
10. iloveyou

SplashData notes 6, 7 and 10 are new to the list. Also new (versus last year) are ‘monkey’ (13th), ‘starwars’ (16th), ‘123123’, (17th), ‘hello’ (1st), ‘freedom’ (22nd), ‘whatever’ (23rd), ‘qazwsx’ (24th), and ‘trustno1’ (25th).

We’re especially fond of ‘trustno1’ for a password. Hello, ‘X-Files’ fans!

SplashData says hackers use “common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.” That’s why a password like ‘starwars’ is so problematic. Indeed, SplashData’s 2014 study found ‘superman’ ranked 21st. The popular ‘Man of Steel’ movie was released in 2013.

What’s possibly more problematic than ignorance is misinformation. Users clearly think ‘starwars’ and ‘superman’ are unique enough to protect their devices and accounts. Many also recycle passwords, and a password so easily cracked could potentially give up far more personal data than anyone would be comfortable with.

15 Responses to “The Most Popular Bad Passwords of 2017”

  1. For the majority of people, it’s a toss-up between playing with a variation of a well-known (and thus mind-entrenched) password, and maintaining a virtual -or even actual – ” Little Black Book” containing their various passwords/site.

    Point is that the b******s who trawl and troll and hack depend on the simplicity of normal and humble people who just want to check their bank balance on-line (because their bank is 20+ Kms away and they haven’t got the means or health or money to physically get to their bank)

    These scum also take great delight in ‘grabbing’ landline telephone numbers and then terrorising people (most popularly the elderly) into thinking that (a) they have had a motor vehicle accident or (b) Microsoft has detected a serious security breach affecting their online e-mail account(s) and (c) their bank/building society/a.n.other finbancial institution, has detected a ‘fraudulent transaction’ regarding their account.

    Finally, we get those lovely, endearing and laughable Nigerian scam e-mails. “God bless me and my dear and may you be blessed but please help me to liberate an obscene amount of money from my deceased father/uncle/brother/husband account” etc etc.

    C’mon my fellow IT guys. There has GOT to be a way to cancel out these b******s. Why should a majority be held hostage by a minority?? I look forward to a plausible excuse.

    In the absence of an excuse, I simply say this. ‘Guys, get off your collective asses and go and kick other asses.”

  2. Several years ago I received a call on the landline from someone who was very insistent that a computer in my house was sending out spam. He said he could tell by the IP address and it was coming from a computer running Windows. He said he would help me remove the offending software. I said that’s interesting. All of the computers at my house were turned off except my own…and it runs Linux. It was comical how he tried to backpaddle on his little scam.

    In regards to the previous poster’s ‘Little Black Book’ comment, while having one is a good idea it’s also vulnerable, especially when you name the file ‘passwords’. A hacker would home in on that in a heartbeat. On the other hand, how many would be interested, or find it, if it were named ‘Aunt Gertrude’? Another trick is to save it as a text file. Small, easily overlooked, and so old-school they may not even know how to open it. My favorite is to save it in the comments of a DOS batch file.These are tricks that fall into the category ‘hiding in plain sight’.

    Another point to ponder…if you don’t save your valuable information on a device — passwords, bank information, personal information, credit card numbers, etc. — there’s nothing to steal should you be hacked or if you lost your cell phone. Don’t treat your computer or cell phone like a bank safe-deposit box. In real life you put locks on your house/apartment to keep unwanted people out. When you have something valuable you tend to put on stronger, better locks. Why are devices any different?

    You’re dealing with some very smart, cunning individuals. Be smarter or deal with the consequences. Take responsibility for your own safety.

  3. There are a few products out there…password safe comes to mind…which allow you maintain an encrypted “little black book”. You need to remember only two passwords…get into your computer, and password safe’s password/phrase. When you need dozens of passwords, it is far more suitable than a post-it or stupid/simple passwords. It will even allow one click login to many websites once you have it open, as well as copy/paste of login id’s or passwords so you can even make them something difficult to type.

  4. Paul Smith

    Sometimes easy is ok, if you make it harder. Star wars can be $t@Rw@rS17 and tricks like that. Using numbers for letters 3 for E and so on. While almost impossible to hack, it is difficult to remember the scramble of digits, special characters and letters that get auto.generated, but you can create ones that are important information to you but hard to decipher. IE: 12Xm@$17!25#

    • Please don’t perpetuate such wrong information. Using numbers instead of letters does not make passwords “almost impossible to hack”. Hackers are well aware of these common techniques and they provide barely any additional security.

  5. At my company, we have been doing “cyber security training” to try and educate our users on how to protect themselves at work, as well as outside of work. I tell them to “stop, look and think” before opening an email and/or clicking links within an email. I explain the common sense questions to ask themselves about the email and it’s origin. I also show them how to hover over a link to see the web address it points to and how to determine if that makes sense, based on the alleged sender. I keep it really, really simple for them and some still don’t get it. I just had a user last week that got an email from “Amazon” telling her that she won a gift card. She has ordered a lot from Amazon lately (hello Christmas!), so in her mind it had to be legit, even though the from address had nothing to do with Amazon. She blindly clicked a link and the end result was a dead PC. The worst part is that she didn’t learn anything! She said she would mostly likely click on it again if she got another email like that, because she is ordering so much from Amazon.

    I also introduce them to a website that is easy to use and a great way to test your password and get some perspective on password complexity and length. The website is “”. It has been a real eye-opener for my users, at least during the training session anyway. They still complain when it comes time to change their password though.

    It’s like the old saying goes. You can lead a horse to water, but you can’t make him drink!

    • Darrel Monroe

      Hmm, so let me get this straight. You are suggesting typing your password into a site that is not the site you are using the password on test how secure the password is. My guess is that after doing that, not secure anymore 🙂

  6. 1) No use of company computers for personal use. You need to check your bank balance or Amazon order status? Use your phone.
    2) Blacklist domains and email addresses. There are web sites & services that provide up-to-date data for this type of protection.
    3) Wrong password entered 3 times? Create, disseminate, and enforce a policy that locks the account and requires the user to call the help desk/admin to unlock it.
    4) Educate developers, admins, and users that all security measures should be treated like they are protecting your personal retirement savings. That is, if you screw it up you’ll need to work until your fingers fall off from old age.

  7. I think the most disturbing is when senior IT people or managers think the network cannot be hacked. Yet have the weakest physical security in place, and common dictionary words for passwords. You try to impress upon them to use nondictionary words, random 20+ for admin interfaces, but they are so pigheaded and have a delusional sense of security that they don’t care.