Most popular passwords of 2016 are desperately weak yet again, study finds

Your support helps us to tell the story

Support Now

Find out moreClose

As your White House correspondent, I ask the tough questions and seek the answers that matter.

Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.

Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election

Andrew Feinberg

White House Correspondent

The most popular passwords of 2016 have been revealed and, as ever, the list shows just how lax millions of internet users’ approach to online security still is.

As was the case last year and the year before, ‘123456’ tops the list, with password manager Keeper Security reporting that it was used by 17% of the 10 million passwords – which became public through data breaches that happened in 2016 – it analysed for the study.

Meanwhile, the shamefully familiar ‘123456789’ and ‘qwerty’ took the silver and bronze medal positions, with ‘12345678’ and ‘111111’ rounding out the top five.

Despite repeated warnings from the wider technology industry about the importance of online security, almost all of the 25 entries on the list are easily guessable.

The only real surprises are ‘18atcskd2w’, ‘1q2w3e4r’, ‘1q2w3e4r5t’ and ‘1q2w3e’, which at first glance look like excellent passwords. However, it appears that they only feature on the list because of bots.

As security expert Graham Cluley explained last year while explaining the then baffling rise in popularity of ’18atcskd2w’, “What I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam onto the forums.

“All in all, it’s easier for a spammer who is creating tens of thousands of accounts to use the same password over and over again – especially if the site doesn’t appear to notice anything suspicious is going on.”

Using a mix of numbers and uppercase and lowercase letters is an easy way to make your password tougher to crack, as is the method of using the first letters from the words in a memorable phrase. Alternatively, password managers can create stronger passwords for you.

Though it’s clear that a huge number of users are simply ignoring basic security advice, Keeper Security believes that a bigger share of the responsibility lies with the sites that allow the practice to continue.

“We can criticize all we want about the chronic failure of users to employ strong passwords,” it said. “After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies.

“It isn’t hard to do, but the list makes it clear that many still don’t bother.”

The full list of passwords is as follows: