The Privacy BlogPrivacy, Security, Cryptography, and Anonymity



Do you use any of the worst passwords of 2016?

Password sticky 123456

It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.

Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.

Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.

Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!” and Wells Fargo might be “fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.

My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be “kGAg2{MgHm8[cvrG7WE=“ which is very strong.

I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.

If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.

For the curious, here is the full list of the 25 most common passwords:

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

· · ·


  • Chris Ciabarra · January 30, 2017 at 3:36 pm

    I can’t tell you how many accounts in the past I have seen get hacked because of the above weak passwords. Everyone needs to turn on two factor auth. :). Do you know of any good password safes that are safe and hosted on your phone or keychain and not some odd server on the internet:)


    • Author comment by lance · January 30, 2017 at 3:39 pm

      I like 1Password because you manage the sync file yourself and it is strongly encrypted under your master passphrase. Decryption of that file only happens locally on your devices. That is the one I use, so it is the one I am most familiar with.


    • Nicolas REMY · February 4, 2017 at 10:50 am

      Not listed by the author is Keepass, which I believe fits your requirements. There are implementations for Mac (KeePassX), Windows (KeePass), iOS (MiniKeePass) and Android (KeePassDroid). The “vault” is a file you have total control of, and is not hosted anywhere in the cloud. Therefore, obviously, it is the user’s task to transfer the file from device to device in order to achieve synchronization – for some that would be a drawback. But the great advantage is that you have total control over the file and it never sits on any random server on the Internet. I actually make sure that this file is never transferred wirelessly, and it is only synced over a USB cable. Oh, and did I mention it’s free ? Enjoy !


      • Author comment by lance · February 4, 2017 at 6:07 pm

        Thanks for the suggestion!


  • Brad · January 31, 2017 at 2:06 am

    Hello Lance. I’m Brad. It’s a nice blog you have here. I really wanted to know your Twitter channel, Facebook page or your email ID but i couldn’t find any of them. Please add means to contact you over your site. Alternatively, you can mail me at my email address 🙂


  • Vee · February 10, 2017 at 3:10 pm

    I use Lastpass for personal and Bruce Schneir’s Password Safe for business … it’s locally hosted for the reader who asked.


    • Author comment by lance · February 10, 2017 at 3:34 pm

      Thanks for the suggestions.


  • Linda · May 14, 2017 at 7:34 pm

    I think the risk of using one of these passwords is compounded by the fact that people may be looking at your screen. So much information leaks from your screen that people just have to sit next to you and glance at your screen from time to time to steal a lot of your life.

    I experienced this problem because I work in a CoWorking space and sometimes out of Cafes. In Starbucks I was looking through some pics on my laptop that I had had taken of me in a Bikini (I paid for a photoshop) and a creepy guy came up to me and said “Oh nice pics”. It really scared me to think he was basically violating me in his head and violating my screen privacy like that. Since then I have discovered a device that restricts the viewing angle of your screen to just you, protecting you from such creeps. It is called a PrivacyDevil.


  • John Mcfalls · June 9, 2017 at 11:03 am

    The most secure password needs to randomized, when it is, the dictionary type of attack is unusable as well as a brute-force attack. A password with 16 characters, lower case and upper case strings, integers, special characters (symbols) is a good example as a “virtually” invulnerable one, a sample would be “#7%$$Am&65Xv#!1#” with or without the quotes…


  • Kathleen Shattuck · August 2, 2017 at 2:05 am

    It’s so lucky to find this post that managing passwords hasn’t been so easy. I need to change my password right away.


Leave a Reply