The Internet’s 25 Worst Passwords, and Why They Aren’t as Bad as You Think


Photo illustration by Derreck Johnson. Photo by gregsawyer/iStock.

Each year, the password management firm SplashData releases a list of the 25 most popular passwords on the Internet, culled in part from publicly available lists of passwords that have been exposed in various hacks over the past 12 months. The rankings aren’t scientific, but they do provide an amusing window into the mind of the casual Internet user. If nothing else, it’s an annual opportunity to publicly lament the sad state of online security while privately congratulating yourself on not treating your personal information quite as carelessly as the next idiot. Unless your password is on the list below, in which case it’s an opportunity to go change it right now, for heaven’s sake. (What should you change it to? We have some unorthodox ideas.)

Much of the list remains pretty constant from year to year, but if you look closely it’s possible to pick out some apparent trends. In 2014, for instance, we rejoiced that password was no longer the most popular password, although what replaced it—123456—was hardly better.

That time-tested six-number sequence, which will protect your online accounts from absolutely no one, retains its top spot on this year’s list, and password is still number two. The two takeaways this year are that our bad passwords may be getting slightly longer and that we really, really like Star Wars. The full top 25 is below, courtesy of SplashData:

These passwords are bad, but at least they’re getting less common.

Illustration and data courtesy of SplashData

We’ve had some fun in the past speculating as to the thought process that went into some of these password choices. It’s hard to draw firm conclusions based on this sort of data, but this year’s list would seem to indicate that at least some people have gotten the idea that, when it comes to passwords, longer equals stronger. That isn’t necessarily the case. While passwords with more characters might be harder to crack through brute force, any password that you share in common with lots of other people is going to be vulnerable. Before you weep for humanity, though, there’s a piece of good news that’s often overlooked when these lists come out. It’s that the most popular passwords aren’t as widely used as they used to be.

Mark Burnett, a security consultant who worked with SplashData to compile the rankings, explained in Ars Technica last year that the two most popular passwords, password and 123456, accounted for less than 1 percent of all the passwords on his list, a steep drop-off from its prevalence just a few years earlier. As recently as 2011, that number had been 8 percent. His full post is well worth reading if you’re interested in how to interpret the bad-password rankings—or if you just want to be reassured that not everyone on the Internet thinks qwerty and monkey are clever ways to safeguard their accounts. 

Was your password on the list? Here are some tips to strengthen it: