123456 Is the Most Used Password for the 5th Year in a Row

Lawrence Abrams

December 14, 2018
11:47 AM
8

Password Header

For the 5th year in a row, "123456" is most used password, with "password" coming in at second place. Even in the wake of a constant stream of data breaches, hacks, and ransomware attack reports people continue to utilize weak passwords that not only put their information at jeopardy, but also their organization's data.

In SplashData's 8th annual worst passwords list, the password management company analyzed more than 5 million leaked passwords to come up with their list of most used passwords. According to their report, the top 10 most used passwords are:

123456
password
123456789
12345678
12345
111111
1234567
sunshine
qwerty
iloveyou

"Bad habits die hard, according to SplashData’s eighth annual list of Worst Passwords of the Year," stated SplashData's press release. "After evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords. Using these passwords will put anyone at substantial risk of being hacked and having their identities stolen."

Password management company Dashlane also released a report this week that focuses on the biggest password mistakes of the year. Topping the list is Kanye West, who in full view of television cameras entered the password "000000" into his cell phone to unlock it.

The full list of Dashlane's "Worst Password Offenders" is listed below.

Kanye West: West tops the list of offenders by entering in a password of "000000" to unlock his mobile phone while meeting with President Trump in a room full of television cameras.
The Pentagon: In a Government Accountability Office (GAO) report, it was found that "credentials management being so poor that one team was able to guess the admin password of a system in nine seconds. The most likely reason for this was that the administrators did not change the default passwords in the software installed on the weapon system."
Cryptocurrency owners: As the value of cryptocurrencies boomed, users discovered that they no longer remembered the passwords to access their wallets. Some owners who wanted to sell went as far as hiring hypnotists to help remember their passwords.
Nutella: Nutella gave out the posted a bizarre tweet telling advising their followers to use "Nutella" as their password. Nuff said on this one.
U.K. Law Firms: Over one million corporate email and password combinations from 500 of the UK's top law firms were discovered on the dark web.
Texas: Texas left the voter records of over 14 million residents exposed on a server without a password.
White House Staff: A DC staffer wrote his email login and password on official White House stationary and then left it at a Washington, D.C. bus stop. Oops.
Google: An engineering student from India was able to access a TV broadcast satellite after logging into Google admin pages using a blank username and password.
United Nations: U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to secure them with a password! This allowed anyone to access the docs that contained confidential information, communications, and plaintext passwords.
University of Cambridge: The university added a plaintext password to a GitHub project that allowed anyone to access the data of millions of Facebook users being studied by the university’s researchers.

As always, users should create strong and unique passwords at every site they visit. These passwords should contain at least 8 characters, upper and lower case letters, numbers, and symbols such as %$#!. To aid them in remember unique passwords at each site, they can use a password management utility to store the passwords.

Lawrence Abrams

Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

buddy215 - 4 years ago
No one has guessed my 6543210 password. :) I've kept it a secret.
JohnC_21 - 4 years ago
I have to think a lot of these passwords are for junk email accounts people set up to avoid spam. Look how many BC members have a birthday of 01.01
NickAu - 4 years ago
My password is " incorrect "

This way if I forget my password and enter the wrong one my machine reminds me " you password is incorrect "
kenhall5551 - 4 years ago
More proof: you can't fix stupid.
Captain_Chicken - 3 years ago
Bleeping computer is cool, when you type your password in the comment box it shows it automatically censors it:
*********

This is a joke please don't do this
Lawrence Abrams - 3 years ago
Just part of our l33t security :)
JEfromCanada - 3 years ago
Just wondering.... if @Captain_Chicken is correct that BC automatically sensors passwords, does this mean that BC is calculating hashes for every word entered into the comments (to detect passwords), or is the clear-text password being stored in memory after a user logs in?

Or was the "This is a joke" comment meant to say that you don't actually censor passwords?
Lawrence Abrams - 3 years ago
It was a joke :)

Our password field is as a password type, so it hides your password as you type it.