Top 25 Most Insecure Passwords Used In 2017

SplashData has published their annual list of the worst passwords of the year, and one thing is very clear: we never learn. Also, there are a lot Star Wars fans out there.


The list is created using data from more than five million passwords that were leaked by hackers in 2017. As mentioned by SplashData, the past two years have been particularly difficult for data security, with a number of well-publicized hacks (including Equifax, Dropbox, and the SEC), attacks, ransoms, and even extortion attempts.

And still, people continue to use easy-to-guess passwords to protect their information. For example, “123456” and “password” have again stayed in the top two spots on the list, for the fourth consecutive year. Variations of these two “worst passwords” also make up six of the remaining passwords on the list.

The Most Used, and Therefore Insecure Passwords

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst, being 123456. There are some newcomers however, including “starwars,” “freedom,” “monkey”, “letmein,” and “hello.”

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” said SplashData CEO Morgan Slain. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

Slain continues to say that “hackers know your tricks, and merely tweaking an easily guessable password does not make it secure”.

How to Improve Password Security

One step enterprises are taking to prevent the use of these passwords, in hopes of securing their users data, is increasing password security. But this can end up being inconvenient and cause more problems than it solves. Users are expected to remember:

  • Multiple Passwords
  • That must be at least 12 characters long
  • Contain at least one uppercase letter
  • As well as include a special character.

Many users just end up reusing the same password on multiple accounts. This not only compromises the users security, but it can also spread the vulnerability to other companies as well. So the question that remains, is how can businesses better protect their users information?

One solution that could greatly improve password security, is adapting a Customer Identity and Access Management (cIAM) solution. An Identity Platform could help companies implement complex hashing algorithms that would protect passwords in cases of interception in transit, and prevent exposure to their data. With the increase in frequency and complexity of attacks, companies could also utilize additional features like two-factor authentication, risk-based authentication, and passwordless login.

By implementing these features, companies would be able to add the additional security to customer accounts, and protect them from password breaches and account compromises. They would also be able to improve flexibility and productivity by reducing security breaches, which would result in considerable time saving for support and development teams.

The Most Insecure Passwords of 2017

SplashData also provides similar advice year-after-year for users and companies to better secure their data. But unfortunately we will have to wait and see if 2018 will result in less hacks and breaches. For now, however, here is SpashData’s 2016 and 2017’s list of the top 25 most common, and therefore worst passwords:

SplashData’s top 25 worst passwords in 2017 SplashData’s top 25 worst passwords in 2016
1)   123456 123456
2)   password password
3)   12345678 12345
4)   qwerty 12345678
5)   12345 football
6)   123456789 qwerty
7)   letmein 1234567890
8)   1234567 1234567
9)   football princess
10)   iloveyou 1234
11)   admin login
12)   welcome welcome
13)   monkey solo
14)   login abc123
15)   abc123 admin
16)   starwars 121212
17)   123123 flower
18)   dragon passw0rd
19)   passw0rd dragon
20)   master sunshine
21)   hello master
22)   freedom hottie
23)   whatever loveme
24)   qazwsx zaq1zaq1
25)   trustno1 password1

To read all 100 of the most insecure passwords used in 2017, view SplashData’s complete list. To learn more about how LoginRadius can help your company implement a Customer Identity solution, and improve password security, request a demo.

Emily Genge

About 

Emily is a Marketing Intern at LoginRadius, a leading Customer Identity Management platform. She is a recent graduate from the University of Waterloo, where she studied Rhetoric, Media, and Professional Communication.

New Call-to-action