‘123456’ Is 2018’s Worst Password, Study Says. But This Year, ‘donald’ Joined the List

“Donald” has joined a new list. Not of world leaders, but of “worst passwords.” The password-management firm SplashData released its annual list of the 100 worst character combinations it found among leaks of about five million passwords.

“Donald” entered the list at position 23. You’ll also find “qwerty” (#9), password (#2), and baseball (#32). The worst of the worst passwords? “123456,” which has been sitting on top of the worst password chart for five years running.

Bad passwords are short, easily guessed, often contain words or common abbreviations, and are used by many other people. If one of yours is on the list, the right time to change it is right now.

What’s a strong password? It’s uniquely created for each site, it’s relatively long, and it’s not a common phrase or sequence. Many experts now recommend a password made up of a few words that are picked at random, a technique popularized by Diceware. While this may seem counter-intuive—couldn’t automated software just try all those words?—the large number of combinations and the length of the password in total makes it as hard to break as a shorter, impossible-to-type or remember sequence.

Password-management software can generate strong passwords according to any desired recipe, and it’s one reason SplashData promotes its list. Competitors abound, including built-in support across Apple’s and Google’s hardware, software, and browsers—iOS, Safari, and iCloud for Apple and Android, Chrome, and other apps for Google—as well as 1Password, Dashlane, and LastPass.

With over 5.6 billion accounts leaked over the last several years, according to the password-breach notification site Have I Been Pwned, researchers have been able to take a good look at the problem.

Security experts recommend that Web sites not allow users to create easily cracked password, but some sites prefer not to deter account creation by requiring something strong.

However, other sites have complex password-formulating requirements—like a mix of upper and lower case, one number, and one symbol—that can lead people to pick “Password1!”, which is only slight harder for intruders to decipher as “password”.

In many databases, about 50% of users rely on one of a handful of passwords. Hackers can crack those simple password and easily gain access to log into millions or tens of millions of accounts. With many users sharing the same, weak password across multiple services, that single breach can jeopardize their accounts at many different sites and services.