The 17 worst passwords of 2017

While we were told to make some pretty big changes to personal password creation a few months ago, password management applications provider SplashData released a 100-entry list of the “Worst Passwords of 2017” this week, and a super-easy one claimed the top spot (just like in 2016): 123456.

The company estimates that around 3% of people have employed this one. Roughly 10% of people have used at least one of the 25 worst passwords on this year’s list, the company says.

This is SplashData’s seventh annual list, and researchers took a look at more than five million “leaked passwords” from largely Western European and North American users, but, the press release continues, “passwords leaked from hacks of adult websites and from the Yahoo email breach were not included in this report.”

The company cautioned that some of the entries are “NSFW,” meaning “not safe for work,” so we’ll leave those for you to check out on your own time. You should also know that according to the company, “use of any of the passwords on this list would put users at grave risk for identity theft.”


The 17 worst passwords on the list — apparently, people actually use these…

1) 123456


2) password


3) 12345678


4) qwerty


5) 12345


6) 123456789


7) letmein


8) 1234567


9) football


10) iloveyou


11.) admin


12) welcome


13) monkey


14) login


15) abc123


16) starwars


17) 123123

Other words on the list include “lakers” (#37), “blahblah” (#47), “cookie” (#68), and “thunder” (100).

Morgan Slain, CEO of SplashData, Inc. commented on the findings in a statement. “Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” he said. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

3 password safety tips

What can you do to keep safe instead? Keep these tips in mind…

Consider using a password manager

SplashData recommends that you “protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.” (Of course, this is SplashData’s business… but it’s still a good idea. And there are lots of options to chose from when it comes to password managers.)

Don’t overdo it

Bill Burr, the man responsible for much of what we know about password creation due to a guide he wrote in the early 2000s, backpedaled on his decade-plus-old advice in recent months, according to The Wall Street Journal.

The new rules call for lengthy phrases you can recall with ease — and just making new passwords when it looks like you’ve been hacked, instead of changing one with special characters every 90 days.

Don’t rely on passwords alone

AARP reports that you should “add a second door.”

“Two-factor authentication services add an extra layer of security to your most vital digital accounts,” AARP recommends. “You log in to an account using your usual password. Next, the two-factor authentication site sends your phone a six-digit code that you must enter before gaining access. For a list of websites that offer two-factor authentication, go to”

More from Ladders