Updated on December 10, 2021
Password management firm SplashData has published its annual list of the year’s worst passwords. According to Lifehacker, the passwords are based on 5 million leaked passwords, with SplashData concluding the 25 worst passwords are used by 10% of computer users.
This year’s list has several new entries, including “sunshine,” “!@#$%^&*,” and “Donald.” I’ll imagine that final addition to the list is neither a coincidence (given current events) nor a reference to Duckburg’s most famous resident.
The worst passwords of 2018
Here’s the list of the 25 worst passwords of 2018:
The passwords above are, of course, awful, and shouldn’t be used by anyone. See also the awful “Star Wars” themed passwords from 2015, and the Batman/Superman ones from 2014.
In previous years, I would’ve also suggested using a social network like Facebook or Google+ as a sign-in option for other websites. However, I don’t recommend this anymore. Google+ is getting shut down, and Facebook has multiple issues with data privacy and security.
I’d advise using a password manager to create strong passwords, as well as store them. I like LastPass, though other popular choices include 1Password and KeePass.
The NIST and some others (including webcomic xkcd) suggest using passphrases instead of passwords. Passphrases are longer than passwords, and thus offer a bit more security.
Whether passphrases or passwords, some other advice includes:
- Making passwords or passphrases sufficiently long.
- Don’t make your password or passphrase a famous quotation, religious scripture, saying, etc. So no “JusticeLeague,” “CaptainKirk,” or “hollyjollychristmas.” (Yes, I wrote this at the holidays, for anyone stumbling upon this past past December.)
- A passphrase should be easy to remember.
- Don’t reuse passwords or passphrases on more than one account. If an account has a security breach and passwords are stolen, other accounts won’t be compromised through password reuse.