The worst passwords of 2019 are as bad as you expect

midian182

TechSpot Editor
Staff member

In its ninth annual Worst Passwords List, password management firm SplashData looked at more than 5 million passwords that were leaked online. It ranked the worst of these and showed their position compared to last year.

Following the top two terrible passwords, ‘qwerty’ has jumped six places to number three. It’s chased by the ever-popular ‘password’—the first time it’s been lower than number two—with more sequential number sequences taking up the next three slots. You can see the full list at the bottom of the page.

Some new entries in the top 25 include ‘qwertyuiop’ ‘lovely’ and, perhaps due to Game of Thrones’ popularity, ‘dragon’. There’s also ‘1q2w3e4r’, which, of course, isn’t random at all and easy to guess.

Elsewhere, ‘donald’ has now fallen out of the top 25, while ‘biteme’ manages to stay in the top 50.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off,” SplashData CEO Morgan Slain said in a statement. “We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.”

As we continue to see massive data hacks and login details leaked online, it’s bewildering that so many people still use comically bad passwords. The best solution? Use a password manager, which, as well as generating random strings, ensures the same credentials aren’t reused across multiple websites.

Here's the full list of worst passwords:

  1. 123456
  2. 123456789 (↑ 1)
  3. qwerty (↑ 6)
  4. password (↓ 2)
  5. 1234567 (↑ 2)
  6. 12345678 (↓ 2)
  7. 12345 (↓ 2)
  8. iloveyou (↑ 2)
  9. 111111 (↓ 3)
  10. 123123 (↑ 7)
  11. abc123 (↑ 4)
  12. qwerty123 (↑ 13)
  13. 1q2w3e4r
  14. admin (↓ 2)
  15. qwertyuiop
  16. 654321 (↑ 3)
  17. 555555
  18. lovely
  19. 7777777
  20. welcome (↓ 7)
  21. 888888
  22. princess (↓ 11)
  23. dragon
  24. password1
  25. 123qwe
  26. 666666
  27. 1qaz2wsx
  28. 333333
  29. michael
  30. sunshine
  31. liverpool
  32. 777777
  33. 1q2w3e4r5t
  34. donald
  35. freedom
  36. football
  37. charlie
  38. letmein
  39. !@#$%^&*
  40. secret
  41. aa123456
  42. 987654321
  43. zxcvbnm
  44. passw0rd
  45. bailey
  46. nothing
  47. shadow
  48. 121212
  49. biteme
  50. ginger

Permalink to story.

 

Squid Surprise

TS Evangelist
Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot :)
 

stewi0001

TS Evangelist
TechSpot Elite
Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot :)
I have been trying to make long password sentences as well. Most of the time I try to make myself laugh.
 

rrwards

TS Addict
Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot :)
I agree that sentences are better but when you currently have most people using the same password for most sites, it's easier to just have them switch to a password manager. Still only have to remember one password (ideally a long funny sentence) and then the application does the rest. I usually set it up for family members with a default length of at least 20 characters. Sure, it's not as good as sentences, but 20 random characters for each password is better than them using the same 8 character word for every site.
 

ShagnWagn

TS Evangelist
With manufacturers defaulting them to "password" and "admin", I am really surprised those are not always in the top spots. I wonder if perhaps they are talking about the passwords users have chosen? By leaving default I would say they are choosing to keep it the default. Hmm.
 
  • Like
Reactions: Gezzer

bexwhitt

TS Evangelist
Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot :)
I have a nonsensical phrase for my master password and let lasspass come up with the rest. Using the same long password for everything is not necessarily bad as long as the websites use proper login protocols but you bet some save passwords instead of an mathematical hash.
 

CharmsD

TS Enthusiast
TechSpot Elite
I have a nonsensical phrase for my master password and let lasspass come up with the rest. Using the same long password for everything is not necessarily bad as long as the websites use proper login protocols but you bet some save passwords instead of an mathematical hash.
I thought the same long password was a good one, until you posted it. :)
 

tipstir

TS Ambassador
51. WiFi
52. SONY
53. LifeIsGood
54. HONDA
55. GMarkofExcellence
56. PoppysChicken
57. Whirlpool
58. MyLastName
59. MyFirstName
60. MyDOA
 

Phyrino

TS Rookie
I work at a IT company. We have to change passwords every third month. Yea, really safe.

I can see many of my former passwords on this list.
 

docbill

TS Rookie
This is great. I need to change my password once a week, and this gives me a list to use for the year!
 

docbill

TS Rookie
Actually I must confess I did use one of these passwords once. My son started using a computer when he was 3, and I needed a password for him he could remember.
 

HyperPete

TS Enthusiast
Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot :)
Why do you believe password managers are "flawed"? Why is your short sentence better than this randomly generated password, for example?

gMMaZgr9Ni@9j%Bjnc0FmXlOGI6Luf$EEGjSgGYN!$Tws^h4VI7CcW6@s$GZ144xETV7l^L#Ly!a4F3cd7omQU0$ZI$hYc3*Z#k

In my opinion, the BIGGEST flaw is the way in which websites limit passwords. PayPal uses a maximum of 16 characters which totally SUCKS, in my opinion. I use a 99 character randomly generated password something like the one I posted above for websites (such as Google) that permit it.

So long as I use a strong password for the master password for my password manager and change it regularly, I believe that I am much safer than you are. Furthermore, my password manager allows me to run a test against all of my stored passwords and search for possible online breaches, weak passwords, duplicate passwords, and even old passwords . I .am then provided a detailed review which allows me (prompts me) to correct any potential shortcomings or flaws

I retired from a position in Network Security, CyberSecurity, and Identity Access Management. I always use safe practices. My password manager's evaluation places me in the 94th percentile of all users and the top 1% in security for the 470 sites I have secured within the manager. Let me see you do this just memorizing sentences for every single website you access.

I would be unable to achieve this without a password manager.
 

Squid Surprise

TS Evangelist
Why do you believe password managers are "flawed"? Why is your short sentence better than this randomly generated password, for example?

gMMaZgr9Ni@9j%Bjnc0FmXlOGI6Luf$EEGjSgGYN!$Tws^h4VI7CcW6@s$GZ144xETV7l^L#Ly!a4F3cd7omQU0$ZI$hYc3*Z#k

In my opinion, the BIGGEST flaw is the way in which websites limit passwords. PayPal uses a maximum of 16 characters which totally SUCKS, in my opinion. I use a 99 character randomly generated password something like the one I posted above for websites (such as Google) that permit it.

So long as I use a strong password for the master password for my password manager and change it regularly, I believe that I am much safer than you are. Furthermore, my password manager allows me to run a test against all of my stored passwords and search for possible online breaches, weak passwords, duplicate passwords, and even old passwords . I .am then provided a detailed review which allows me (prompts me) to correct any potential shortcomings or flaws

I retired from a position in Network Security, CyberSecurity, and Identity Access Management. I always use safe practices. My password manager's evaluation places me in the 94th percentile of all users and the top 1% in security for the 470 sites I have secured within the manager. Let me see you do this just memorizing sentences for every single website you access.

I would be unable to achieve this without a password manager.
The “flaw” is that now all my passwords are in the hands of a 3rd party... if they go out of business, get hacked, etc., not only have I lost the password to one website, I’ve lost the password to ALL of my websites!
 

HyperPete

TS Enthusiast
Depending upon the service that you use, your passwords are encrypted / hashed. You can also export your details if you want a physical backup.

Everything is going out on the cloud now. You can either come along for the ride, or get lost in the past. Your entire life is in the cloud. Tax information, employment information. Do you use any Google services? Amazon? Any other online services? If so, you already have more information floating around that you know. Your credit record is online with no less than three major services. If you have and use credit cards, your information is being bought and sold almost every day. Are you storing passwords in your browser? If so, you have unencrypted / plain text password information sitting in software that is exposed daily. Don't believe me? Go into your settings and look for yourself.

Download and review and your data from online services as often as possible. Clear it whenever you can. Opt out as often as possible. In my opinion, you fear the wrong thing.

Don't be naive. Instead, be proactive, and protect yourself however you can.

Want to be completely safe? Crawl under a rock and do not interact with society.

If you fear Password Manager services, download and use Keepass. Store it on a thumb drive, and keep another as a spare. Update them both each time there is a change. Encrypt it, and lock it in a safe.
 

Squid Surprise

TS Evangelist
Depending upon the service that you use, your passwords are encrypted / hashed. You can also export your details if you want a physical backup.

Everything is going out on the cloud now. You can either come along for the ride, or get lost in the past. Your entire life is in the cloud. Tax information, employment information. Do you use any Google services? Amazon? Any other online services? If so, you already have more information floating around that you know. Your credit record is online with no less than three major services. If you have and use credit cards, your information is being bought and sold almost every day. Are you storing passwords in your browser? If so, you have unencrypted / plain text password information sitting in software that is exposed daily. Don't believe me? Go into your settings and look for yourself.

Download and review and your data from online services as often as possible. Clear it whenever you can. Opt out as often as possible. In my opinion, you fear the wrong thing.

Don't be naive. Instead, be proactive, and protect yourself however you can.

Want to be completely safe? Crawl under a rock and do not interact with society.

If you fear Password Manager services, download and use Keepass. Store it on a thumb drive, and keep another as a spare. Update them both each time there is a change. Encrypt it, and lock it in a safe.
Encryption can be broken.... and thanks for mansplaining the cloud - yes I understand that’s how things are going... I have nothing against the cloud (after all, we’re talking about INTERNET passwords here!), but think of it more like investing...

Do you put all your money into one stock? Even if the stock seems like a “sure thing”?

If you’re smart... you diversify... one day, one of those password management programs will get hacked - it’s inevitable - and there are going to be some very unhappy people....
 

HyperPete

TS Enthusiast
Well, the way *I* see it is that my password management program (which I pay for) employs people to ensure that my data is safe. In fact, that is the only focus of the software. Security is not an afterthought, like the Windows Operating System, or your web browser.

I will take my chances, the same way we both take our chances with banks, credit cards, etc. I personally believe that I am far safer using extremely strong and random passwords that are different for every single site that you probably are using sentences that use words which are more susceptible to password-cracking protocols. I made my living in Network Security. I believe that my choices are rooted in reality and experience. We all make choices every day. In the end, we live with those choices.

Regardless of what you or I choose to do, we are both far safer than the general public, which is what this article is all about.

Cheers!
 

HyperPete

TS Enthusiast
By the way, no, I do not put all of my money into one investment, but I *do* have and utilize a financial manager. And, I have just retired. Comfortably. 😁 😉 😎