The worst passwords of 2019 are as bad as you expect

[midian182]

Facepalm: It’s that time of year again when we look back at the year’s worst passwords and realize why so many internet users get hacked. For the sixth year in a row, the top spot is taken by the inspirational ‘123456’ while ‘123456789’ is at number two.

In its ninth annual Worst Passwords List, password management firm SplashData looked at more than 5 million passwords that were leaked online. It ranked the worst of these and showed their position compared to last year.

Following the top two terrible passwords, ‘qwerty’ has jumped six places to number three. It’s chased by the ever-popular ‘password’—the first time it’s been lower than number two—with more sequential number sequences taking up the next three slots. You can see the full list at the bottom of the page.

Some new entries in the top 25 include ‘qwertyuiop’ ‘lovely’ and, perhaps due to Game of Thrones’ popularity, ‘dragon’. There’s also ‘1q2w3e4r’, which, of course, isn’t random at all and easy to guess.

Elsewhere, ‘donald’ has now fallen out of the top 25, while ‘biteme’ manages to stay in the top 50.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off,” SplashData CEO Morgan Slain said in a statement. “We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.”

As we continue to see massive data hacks and login details leaked online, it’s bewildering that so many people still use comically bad passwords. The best solution? Use a password manager, which, as well as generating random strings, ensures the same credentials aren’t reused across multiple websites.

Here's the full list of worst passwords:

1. 123456
2. 123456789 (↑ 1)
3. qwerty (↑ 6)
4. password (↓ 2)
5. 1234567 (↑ 2)
6. 12345678 (↓ 2)
7. 12345 (↓ 2)
8. iloveyou (↑ 2)
9. 111111 (↓ 3)
10. 123123 (↑ 7)
11. abc123 (↑ 4)
12. qwerty123 (↑ 13)
13. 1q2w3e4r
14. admin (↓ 2)
15. qwertyuiop
16. 654321 (↑ 3)
17. 555555
18. lovely
19. 7777777
20. welcome (↓ 7)
21. 888888
22. princess (↓ 11)
23. dragon
24. password1
25. 123qwe
26. 666666
27. 1qaz2wsx
28. 333333
29. michael
30. sunshine
31. liverpool
32. 777777
33. 1q2w3e4r5t
34. donald
35. freedom
36. football
37. charlie
38. letmein
39. !@#$%^&*
40. secret
41. aa123456
42. 987654321
43. zxcvbnm
44. passw0rd
45. bailey
46. nothing
47. shadow
48. 121212
49. biteme
50. ginger

Permalink to story.

https://www.techspot.com/news/83279-worst-passwords-year-bad-youd-expect.html

 

[Squid Surprise]

Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot

 

[stewi0001]

Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot

I have been trying to make long password sentences as well. Most of the time I try to make myself laugh.

 

[rrwards]

Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot

I agree that sentences are better but when you currently have most people using the same password for most sites, it's easier to just have them switch to a password manager. Still only have to remember one password (ideally a long funny sentence) and then the application does the rest. I usually set it up for family members with a default length of at least 20 characters. Sure, it's not as good as sentences, but 20 random characters for each password is better than them using the same 8 character word for every site.

 

[QuantumPhysics]

Gimme a Thumbs Up if your password is a GPU name!!!


2080TiOverclocked

RadeonVegaProDuo

Voodoo33500TV

 

[Nobina]

Gimme a Thumbs Up if your password is a GPU name!!!


2080TiOverclocked

RadeonVegaProDuo

Voodoo33500TV

I would be ashamed to even try and type that in, so I guess it's pretty safe.

 

[TomSEA]

Nothing more than proof that people are lazy.

 

[Vulcanproject]

I just use this, easy to remember:

 

[ShagnWagn]

With manufacturers defaulting them to "password" and "admin", I am really surprised those are not always in the top spots. I wonder if perhaps they are talking about the passwords users have chosen? By leaving default I would say they are choosing to keep it the default. Hmm.

 

[bexwhitt]

Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot

I have a nonsensical phrase for my master password and let lasspass come up with the rest. Using the same long password for everything is not necessarily bad as long as the websites use proper login protocols but you bet some save passwords instead of an mathematical hash.

 

[CharmsD]

I have a nonsensical phrase for my master password and let lasspass come up with the rest. Using the same long password for everything is not necessarily bad as long as the websites use proper login protocols but you bet some save passwords instead of an mathematical hash.

I thought the same long password was a good one, until you posted it.

 

[p51d007]

I think it should be the word "incorrect"
That way, when you type the wrong password, it will say:
Your password is incorrect.

 

[CharmsD]

Heh ^

Please Click The Pixels ? With Fingers

 

[Uncle Al]

Just goes to show there are still plenty of *****'s out there!

 

[EClyde]

Truly a great article if there is nothing real to write about

 

[tipstir]

51. WiFi
52. SONY
53. LifeIsGood
54. HONDA
55. GMarkofExcellence
56. PoppysChicken
57. Whirlpool
58. MyLastName
59. MyFirstName
60. MyDOA

 

[Phyrino]

I work at a IT company. We have to change passwords every third month. Yea, really safe.

I can see many of my former passwords on this list.

 

[docbill]

This is great. I need to change my password once a week, and this gives me a list to use for the year!

 

[docbill]

Actually I must confess I did use one of these passwords once. My son started using a computer when he was 3, and I needed a password for him he could remember.

 

[HyperPete]

Still think password managers are flawed... better to use long sentences - "ILikeToEat56RedBananas" or some such... and have a different one for each website.... becomes a pain, but theme the sentences to each site and perhaps you won't forget them...

"ILoveTyping73LongTrollLikeSentences" could be a good PW for Techspot

Why do you believe password managers are "flawed"? Why is your short sentence better than this randomly generated password, for example?

gMMaZgr9Ni@9j%Bjnc0FmXlOGI6Luf$EEGjSgGYN!$Tws^h4VI7CcW6@s$GZ144xETV7l^L#Ly!a4F3cd7omQU0$ZI$hYc3*Z#k

In my opinion, the BIGGEST flaw is the way in which websites limit passwords. PayPal uses a maximum of 16 characters which totally SUCKS, in my opinion. I use a 99 character randomly generated password something like the one I posted above for websites (such as Google) that permit it.

So long as I use a strong password for the master password for my password manager and change it regularly, I believe that I am much safer than you are. Furthermore, my password manager allows me to run a test against all of my stored passwords and search for possible online breaches, weak passwords, duplicate passwords, and even old passwords . I .am then provided a detailed review which allows me (prompts me) to correct any potential shortcomings or flaws

I retired from a position in Network Security, CyberSecurity, and Identity Access Management. I always use safe practices. My password manager's evaluation places me in the 94th percentile of all users and the top 1% in security for the 470 sites I have secured within the manager. Let me see you do this just memorizing sentences for every single website you access.

I would be unable to achieve this without a password manager.

 

[Squid Surprise]

Why do you believe password managers are "flawed"? Why is your short sentence better than this randomly generated password, for example?

gMMaZgr9Ni@9j%Bjnc0FmXlOGI6Luf$EEGjSgGYN!$Tws^h4VI7CcW6@s$GZ144xETV7l^L#Ly!a4F3cd7omQU0$ZI$hYc3*Z#k

In my opinion, the BIGGEST flaw is the way in which websites limit passwords. PayPal uses a maximum of 16 characters which totally SUCKS, in my opinion. I use a 99 character randomly generated password something like the one I posted above for websites (such as Google) that permit it.

So long as I use a strong password for the master password for my password manager and change it regularly, I believe that I am much safer than you are. Furthermore, my password manager allows me to run a test against all of my stored passwords and search for possible online breaches, weak passwords, duplicate passwords, and even old passwords . I .am then provided a detailed review which allows me (prompts me) to correct any potential shortcomings or flaws

I retired from a position in Network Security, CyberSecurity, and Identity Access Management. I always use safe practices. My password manager's evaluation places me in the 94th percentile of all users and the top 1% in security for the 470 sites I have secured within the manager. Let me see you do this just memorizing sentences for every single website you access.

I would be unable to achieve this without a password manager.

The “flaw” is that now all my passwords are in the hands of a 3rd party... if they go out of business, get hacked, etc., not only have I lost the password to one website, I’ve lost the password to ALL of my websites!

 

[HyperPete]

Depending upon the service that you use, your passwords are encrypted / hashed. You can also export your details if you want a physical backup.

Everything is going out on the cloud now. You can either come along for the ride, or get lost in the past. Your entire life is in the cloud. Tax information, employment information. Do you use any Google services? Amazon? Any other online services? If so, you already have more information floating around that you know. Your credit record is online with no less than three major services. If you have and use credit cards, your information is being bought and sold almost every day. Are you storing passwords in your browser? If so, you have unencrypted / plain text password information sitting in software that is exposed daily. Don't believe me? Go into your settings and look for yourself.

Download and review and your data from online services as often as possible. Clear it whenever you can. Opt out as often as possible. In my opinion, you fear the wrong thing.

Don't be naive. Instead, be proactive, and protect yourself however you can.

Want to be completely safe? Crawl under a rock and do not interact with society.

If you fear Password Manager services, download and use Keepass. Store it on a thumb drive, and keep another as a spare. Update them both each time there is a change. Encrypt it, and lock it in a safe.

 

[Squid Surprise]

Depending upon the service that you use, your passwords are encrypted / hashed. You can also export your details if you want a physical backup.

Everything is going out on the cloud now. You can either come along for the ride, or get lost in the past. Your entire life is in the cloud. Tax information, employment information. Do you use any Google services? Amazon? Any other online services? If so, you already have more information floating around that you know. Your credit record is online with no less than three major services. If you have and use credit cards, your information is being bought and sold almost every day. Are you storing passwords in your browser? If so, you have unencrypted / plain text password information sitting in software that is exposed daily. Don't believe me? Go into your settings and look for yourself.

Download and review and your data from online services as often as possible. Clear it whenever you can. Opt out as often as possible. In my opinion, you fear the wrong thing.

Don't be naive. Instead, be proactive, and protect yourself however you can.

Want to be completely safe? Crawl under a rock and do not interact with society.

If you fear Password Manager services, download and use Keepass. Store it on a thumb drive, and keep another as a spare. Update them both each time there is a change. Encrypt it, and lock it in a safe.

Encryption can be broken.... and thanks for mansplaining the cloud - yes I understand that’s how things are going... I have nothing against the cloud (after all, we’re talking about INTERNET passwords here!), but think of it more like investing...

Do you put all your money into one stock? Even if the stock seems like a “sure thing”?

If you’re smart... you diversify... one day, one of those password management programs will get hacked - it’s inevitable - and there are going to be some very unhappy people....

 

[HyperPete]

Well, the way *I* see it is that my password management program (which I pay for) employs people to ensure that my data is safe. In fact, that is the only focus of the software. Security is not an afterthought, like the Windows Operating System, or your web browser.

I will take my chances, the same way we both take our chances with banks, credit cards, etc. I personally believe that I am far safer using extremely strong and random passwords that are different for every single site that you probably are using sentences that use words which are more susceptible to password-cracking protocols. I made my living in Network Security. I believe that my choices are rooted in reality and experience. We all make choices every day. In the end, we live with those choices.

Regardless of what you or I choose to do, we are both far safer than the general public, which is what this article is all about.

Cheers!

 

[HyperPete]

By the way, no, I do not put all of my money into one investment, but I *do* have and utilize a financial manager. And, I have just retired. Comfortably. ? ? ?