For the past six years, SplashData has been publishing an annual report that highlights the year’s worst passwords. For its sixth annual report, the company analyzed more than 5 million passwords that were leaked online throughout 2016 and uncovered that… people still haven’t learned to pick a strong password.

The top 2 worst passwords for 2016 are "123456" and "password". The top 2 worst passwords for 2015 were "123456" and "password". The top 2 worst passwords for 2014 were "123456" and "password". The same goes for 2013, 2012, and 2011. For the past six years, the top 2 entries have always been "123456" and "password".

And that’s not all. There other things to be concerned about.

Passwords should be made up of numbers, letters (both uppercase and lowercase), and special characters. Yet 5 out of the top 10 passwords on SplashData’s 2016 Worst Passwords report are comprised of numbers only. And 12 out of the top 25 passwords are simple words, like "princess", "master" or "sunshine".

You should never, ever use "password" as you password. Since we’ve already established that people do that, the other worrying thing is that people think variations like "passw0rd" or "password1" will make a difference. "Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies,” says SplashData CEO Morgan Slain.

Speaking about easily guessable passwords, the report includes passwords like "admin", "qwerty", "121212" or "zaq1zaq1".

SplashData’s Top 25 Worst Passwords of 2016 (infographic)



Via TeamsID.

"Our hope is that by researching and putting out this list each year, people will realize how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites," explained Morgan Slain, CEO of SplashData, Inc.

Picking a lousy password is just one of several things you do to make a cybercriminal's life easier.