SplashData Announces 100 Worst Passwords of 2018

SplashData’s eighth annual list of Worst Passwords of the Year is here, and after evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords.

While passwords such as “123456” and “password” continue in the #1 and #2 spots, respectively, President Trump debuted on this year’s list with “donald” showing up as the 23rd most frequently used password.

“Sorry, Mr. President, but this is not fake news – using your name or any common name as a password is a dangerous decision,” said Morgan Slain, CEO of SplashData Inc. “Hackers have great success using celebrity names, terms from pop culture and sports and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations.”

Each year, SplashData evaluates millions of leaked passwords to determine which passwords were most used by computer users during that year. Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information. 2018 was the fifth consecutive year that “123456” and “password” retained their top two spots on the list. The next five top passwords on the list are simply numerical strings.

SplashData, provider of password management applications TeamsID, Gpass and SplashID, releases its annual list in an effort to encourage the adoption of stronger passwords.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” said Slain. “It’s a real head-scratcher that with all the risks known, and with so many highly publicized hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year.”

Here are SplashData’s “Worst Passwords of 2018”:

123456 (Unchanged)
password (Unchanged)
123456789 (Up 3)
12345678 (Down 1)
12345 (Unchanged)
111111 (New)
1234567 (Up 1)
sunshine (New)
qwerty (Down 5)
iloveyou (Unchanged)
princess (New)
admin (Down 1)
welcome (Down 1)
666666 (New)
abc123 (Unchanged)
football (Down 7)
123123 (Unchanged)
monkey (Down 5)
654321 (New)
!@#$%^&* (New)
charlie (New)
aa123456 (New)
donald (New)
password1 (New)
qwerty123 (New)

SplashData estimates almost 10 percent of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3 percent of people have used the worst password, 123456.

According to SplashData, the over five million leaked passwords evaluated for the 2018 list were mostly held by users in North America and Western Europe. Passwords leaked from hacks of adult websites were not included in this report.

To stay safe from hackers online, SplashData recommends you use passphrases of twelve characters or more with mixed types of characters, use a different password for each of your logins and use a password manager to organize passwords, generate secure random passwords and automatically log into websites.

To help protect computer users from hackers, SplashData is offering the full list of Top 100 Worst Passwords, a free one-year subscription for individuals to its Gpass password manager and a TeamsID (password manager for enterprise workgroups) demo for businesses. Each of these free resources may be found here.

Join security leaders and practitioners across every industry and sector to gain the knowledge and capabilities you need to translate thought leadership into action. A world-class lineup of sessions and speakers will uncover the topics and tactics you need to know to stay vigilant today and as security’s landscape evolves.