The list of most-frequently used passwords has changed little over the past few years. In 2016, “123456” once again was the most popular one.

Every year in January IT security company Splashdata selects the most popular password of the past year. This procedure is usually little exciting, as “123456” has been the winner many times in a row.


And the winner is …

Which password was the most popular of 2016? First of all, this is difficult to say, as Splashdata hasn’t published its usual press release yet. So, I had to look for another source, and I found one. As it turned out, Keeper, a Chicago based company has recently published a password analysis. The most important result is not very surprising: the most popular password of 2016 was “123456”.

As it seems, Keeper took a similar approach as Splashdata in the years before. Its analysis is based on 10 million passwords from data breaches that happened in 2016. Here’s the top 25:


There’s at least one good news: most of the passwords on the list contain one or more non-alphabetical characters. This enlarges the search space. On the other hand, IT users seem to be very reluctant to include capital letters and special characters into their passwords.

According to Keeper CEO Darren Guccione, a few more things jump out:

  • The list of most-frequently used passwords has changed little over the past few years. That means that user education and awareness programs have limits.
  • Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter.
  • The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best.

Obviously, there is an easy way to avoid all these popular passwords: IT systems should only accept passwords that have at least eight characters and that contain capital letters as well as special signs.


It’s even worse than it seems

It is easy to see that things are even worse than the top 25 list indicates. Many popular passwords don’t even show up in such a ranking. Especially, many users tend to use their names as passwords. This bad habit has inspired episode 5 of my cartoon series Chief Security Officer:


In addition, the company name and other personal data are often used as passwords. Of course, password cracking programs are aware of this.

There are two passwords on the Keeper list I have no explanation for: “18atcskd2w” and “3rjs1la7qe”. According to Darren Guccione, these are letter sequences created by bots and used over and over when they set up dummy accounts on public email services for spam and phishing attacks. If this explanation is correct, email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties. If you have another explanation for these passwords to be so popular, please let me know.

Further reading: How I almost saved the world in a Cryptology escape room


Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (13)

  1. #1 Klaus Schmeh
    17. Februar 2017

    David Heath via Facebook:
    You know what they say, great minds think alike.

  2. #2 Klaus Schmeh
    17. Februar 2017

    Richard SantaColoma via Facebook:
    That actually surprises me, since many sites require both letters and digits, high and low cases, and some special characters. I mean, most places I have a password wouldn’t even allow a simple string of numbers like that.

  3. #3 Jim
    17. Februar 2017

    I suspect these are in general passwords that have broken or otherwise compromised, rather than the complete range of passwords. The two outliers would then have been discovered by security researchers as noted reverse-engineering malware. I note that neither appears on the first million of 10 million passwords on a github security list ( ), dated 17 Aug 2015.

    Regarding the lack special characters and so on, the first password on that 2015 list that includes a ‘.’ is down around line 2150. The first with a capital (“Password”) is about #275. It suggests to me that the passwords most often cracked are used at sites that don’t require hard passwords.

    Of course just avoiding these doesn’t make you safe if you’re at a site that doesn’t take good care of their password file. The latest Yahoo password breach was #3, wasn’t it?

  4. #4 leser
    18. Februar 2017

    “Obviously, there is an easy way to avoid all these popular passwords”

    yes, there is. web sites should stop forcing people to register for even the simplest tasks.
    in my experience, 90% of all registrations are either caused by delusions of grandeur on the part of the web site, or by when sites wanting to track users.

    5% are sites where you can’t even ask something without having an account — typically you really only have one question Google can’t answer, so you register for that one time with a throw-away mail address.

    4% are sites forcing you to change your password frequently without even hosting sensitive data.

    leaves 1% where a strong password really makes sense — and I doubt that those sites appear here.

    people aren’t dumb, but do a quick cost-benefit calculation, realizing that is useless to spend time finding (and remembering!) more sophisticated passwords for those 99%.

    finally: I very much doubt the viability of those statistics — to me those look very much like baiting prospective customers with so called data, that is at least very hard to check …

  5. #5 Jim
    18. Februar 2017

    People do use bad passwords even in serious jobs, though. Yes, they do the cost-benefit calculation: “I just want to get my work done. Get all this password crap out from between me and my real job.” During my reign as an IT guy with security responsibilities I’d periodically crack Unix passwords on the company computer. The researcher who fancied himself an expert used the password “g”… the initial of his surname. The head of the user education group used “davenport”. Perhaps 1/4 of the company’s passwords were crackable with straightforward dictionary attacks and simple manipulations, even taking the salt into consideration.

    What especially bothers me is making people change passwords frequently, like once a year: it encourages them to write them down somewhere since there’s confusion with their old password, and usually only helps in massive breaks where the security people already fell down on the job. The downside is that it establishes another vulnerability where the password may be exposed with man-in-the-middle or spear-phishing. (“It’s February, and time to change your password again. *Click here* to start the process.”)

  6. #6 Joe
    18. Februar 2017

    Die Frage ist nicht wie ein Passwort aufgebaut ist!
    Sondern wie der Austausch des Paswortes zwischen Client und Server abläuft.
    Solange das im argen liegt, wird der Unsinn weitergehen.

  7. #7 joschu
    18. Februar 2017

    Der Mensch ahnt, daß er zum Sklaven der Maschine geworden ist, die er selbst “geschaffen” hat und wähnt intuitiv, durch aberwitzige Verweigerung der Regeln sich der absurden Konsequenzen entziehen zu können.

  8. #8 Maxwell
    18. Februar 2017

    218 340 105 584 896 combinations for 8 character passwords.
    10 000 000 passwords.
    That means for me: if one good password apears more than once, that’s pretty unlucky, but it wont make it onto a toplist.
    Nothing said yet about how save the average user is.
    And even if the majority of the users used toplisted passwords: Well done. The service used was not save, passwords got stolen, but good for you rememberable passwords were protected.

  9. #9 DayvyaD
    18. Februar 2017

    The most frequently cracked passwords are not necessarily the most frequently used ones.
    Perhaps you should publish here a list of the most secure passwords.

  10. #10 Jerry McCarthy
    England, Europa
    19. Februar 2017

    How can the people who make these lists even know what passwords are being used? Do they come from sites which don’t even bother to encrypt their users’ passwords?

  11. #11 Dwon
    20. Februar 2017

    So lange Webseiten einen nötigen einen Account anzulegen, zum Beispiel um einmalig etwas runterzuladen, so lange werden solche Passwörter verwendet werden.
    Interessant wäre eine Statistik nach Wichtigkeit ein sicheres Passwort zu wählen.

  12. #12 Chemiker
    21. Februar 2017

    I have several observations and thoughts on that statistics.

    First, without frequency data, the list is pretty worthless. If there are a few users with simplistic password and an overwhelming majority of users with high-quality passwords, the list would still look the same, because only the morons choose pass­words that are in use by other people, there­fore repeated pass­words (exactly those in the list) must be simple by necessity.

    Second, even if simple passwords are not a 0.01% pheno­menon, this does not nec­es­sarily imply user stupidity — Blogs that re­quire regis­tration to comment are not worth a strong protection.

    Third, even if simple passwords are regularly used for important accounts by many users, it can be doubted whether the user is the only to blame. Special charac­ters, for example, are APITA whenever you have to log in from different devices that hide them on less ac­cessi­ble keys.

    Frequent change requests are IMHO counter-pro­duc­tive — the user has to come up with a new pass­­word on short notice, and has to re­­mem­­ber it (and avoid to con­fuse with its pre­deces­sors) and must not write it down. The natural solution is to use a simple one.

    I would prefer to have long-lived passwords of complex structure, but paralleled by a sec­on­dary pass­word that can only be used a few times whenever I log on from in­secure devices (e.g., the mobile phone or laptop of a friend). AFAIK no web service offers that, so have to risk pass­word exposure by any malware on the borrowed device.

  13. #13 Jerry McCarthy
    England, Europa
    26. Februar 2017

    #18. Talking of websites with “delusions of grandeur”, one I frequently visit now insists on sending a security code to my cell (=mobile, =Handy) for me to type into the website.