3 min read

These are the 25 worst passwords you could ever choose


January 21, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
These are the 25 worst passwords you could ever choose

There’s no doubt about it. Human beings are typically terrible at choosing passwords.

We either choose a password that is easy to guess (the name of our pet hamster, the name of our favourite football team), or one that is easy to crack (dictionary words like “password” or “letmein”), or find ourselves dreaming up one hard-to-crack and impossible-to-guess complex password (“fTKJ5QSAw}jd’~m3X7N” or “foolery-suburb-narcosis-shorts-unbidden-widely”) but make the mistake of reusing it everywhere.

IEEE Site Exposes 100,000 Plaintext Usernames and Passwords

Humans suck at choosing passwords.

And that’s why I recommend that people invest in a password management tool, capable of generating truly random, impossible to guess passwords, and then doing the important job of remembering them for you so you don’t need to reuse them for every site you access.

All you then need to do is remember one complex, hard-to-crack master password and never have to worry about forgetting your email, eBay or Amazon password ever again.


My guess is that although the password manager solution is pretty straightforward many people are either ignorant that it exists, or think (mistakenly) that it will be too hard for them to follow. And so they go back to bad habits.

The fact that we are STILL talking about bad password practices proves that many people still aren’t getting the message, and new research released by SplashData makes clear that there are still many people using very very bad passwords indeed.

SplashData looked at more than two million passwords that have leaked through data breaches in the last year, and compiled a list of the 25 worst passwords.

And remember, it’s not just researchers who know the most commonly used passwords like the back of their hand. Malicious hackers and identity thieves know too.

So, without further ado, here are the worst passwords you could be using:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

If you recognize any of those passwords as one of yours – shame on you. Learn your lesson and change your password immediately. Passwords like these are effectively worthless.

You might think you’re clever choosing a password like ‘1qaz2wsx’ (take a close look at your keyboard if you want to know where that one came from) or ‘starwars’ but it’s clear that plenty of people had the same idea as you.

And don’t feel too smug if your password isn’t on this list. The fact is that hackers and password crackers have access to databases of *millions* of the most commonly used passwords – meaning that unless you have taken care creating your password, chances are that it won’t take an enormous effort to crack it.

Here are my tips for better password security:

  • Choose passwords or passphrases of a decent length. Over a dozen characters is good, but ideally make it as long as you can. Mix it up with special characters, upper and lower case, and numbers to make it trickier.
  • Never share your passwords. Ultimately you can only trust yourself to take good care of them.
  • Never have a guessable password. Someone who knows you shouldn’t have any advantage in guessing your password.
  • Never ever reuse your passwords. If one site you are a member of gets hacked, you don’t want those same credentials to be able to unlock your other online accounts.
  • For goodness sake, get a password manager. I have over 900 accounts online – it would be impossible for me to remember 900 complex, unique passwords which means I might be tempted to choose weaker passwords instead or reuse them. Password managers mean I don’t have to dilute my security.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like