Facepalm: As 2018 draws to a close, the usual deluge of ‘year in review’ features has arrived. One of these comes from password management company Dashlane, which has put together a top ten list of the “worst password offenders” over the last 12 months.

The company says the average internet user has over 200 digital accounts that require passwords and predicts that this number will double to 400 in the next five years, which can lead to using simple passwords and the same credentials across multiple sites—all the more reason to turn to password managers.

Here are Dashlane’s top ten password fails of 2018:

1. Kanye West: The rapper tops the lists after he was famously captured entering the passcode ‘000000’ into his iPhone during a meeting with Donald Trump. Bad enough he used that terrible code, but typing it in while the world watched was a particularly ill-advised move.

2. The Pentagon: One might imagine that the Department of Defense would enforce strict password hygiene, but that was far from the case. An audit team was able to guess admin passwords in just nine seconds and discovered that multiple weapons systems were protected by passwords that could be found through a Google search.

3. Cryptocurrency owners: Back when crypto was booming, there were numerous reports of owners looking to cash out who had forgotten the password to their digital wallets. Some even resorted to hypnosis to try and remember them.

4. Nutella: On World Password Day, of all days, the company encouraged its Twitter followers to change their passwords to “Nutella.” Maybe it should stick to making delicious chocolate spread.

5. UK Law firms: Researchers discovered email and password combinations from 500 of the country's top law firms on the dark web, most of which were stored in plain text.

6. Texas: Over 14 million of the state’s voter records were exposed on a server that wasn't password protected. Sensitive information including addresses and voter history was left vulnerable by the blunder.

7. White House Staff: Never write your email and password down on stationary, and don’t leave said document at a Washington D.C. bus stop, like one White House staffer did this year.

8. Google: An engineering student from Kerala, India hacked a Google page and got access to a TV broadcast satellite earlier in 2018. How did he do it? Logging in to the Google admin pages on his mobile by using a blank username and password, that's how.

9. United Nations: Allways password protect documents, especially if working for the UN. Staff forgot to do this for many Trello, Jira, and Google Docs, allowing anyone with the right link to access secret plans, international communications, and plaintext passwords.

10. University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university's researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.