‘123456’ is still the most common password people use, followed by ‘password’

Mark Coppock


You know, this whole “computer” thing isn’t particularly new. We’ve been using the things for a few decades now, and it’s not like examples of data security breaches haven’t been in the headlines for–well, forever, pretty much. So you’d think that people would have learned to create strong passwords by now, with at least a tiny bit of common sense. According to a study by SplashData, however, people are still using the most ludicrous passwords to protect what’s likely vital personal and professional data.

SplashData evaluates the passwords that are leaked in various data breaches (likely because of terrible passwords) and ranks the most common examples. Note that SplashData lists the most common passwords, period, not just the most common insecure passwords. The data isn’t comprehensive, but they do look at more than 2 million leaked passwords, and so the sample is likely relevant.

Here are the top 10:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

Yes, that’s right: the first nine or fewer numbers are six out of the top 10 most popular passwords explicitly chosen by actual people to secure their systems. Seeing “password” at a strong number two for the second straight year (and 123456 at number one for the second year as well) is particularly disconcerting.

People, creating a strong password isn’t difficult. You don’t need to understand the science of password cracking to understand that “123456” and “football” and “baseball” aren’t good passwords. Numerous theories exist on what makes for a strong password, and SplasData provides some tips:

– Use passwords or passphrases of twelve characters or more with mixed types of characters
– Avoid using the same password over and over again on different websites
– Use a password manager such as TeamsID to organize and protect passwords, generate random passwords, and automatically log into websites

Yes, that last bit is a tad self-serving, seeing as how SplashData makes TeamsID and other password management applications. But that doesn’t mean they’re wrong: use some system to record and lock down a discrete list of secure passwords and keep that system itself protected. The first two are excellent ideas, particularly mixing of alphanumeric and special characters in long combinations–make it as hard as possible for the crackers to break them.

We’re sure that WinBeta readers are savvy enough to understand that strong passwords are a necessity. It’s not a bad thing, however, to be occasionally reminded. And since laughter is the best medicine, as they say, it’s also not a bad thing to be reminded of just how silly people can be.