Every year there seems to be a common password list that analyzes and ranks hilariously bad passwords in order of popularity. In this article, we’ll review our 7 lessons learned from these annual most common password lists.

We have reviewed password analysis over the last 7 years from the following security providers:

And every year, the more things change, the more things stay the same. There are billions of stolen accounts from hundreds of websites, and it only seems to be accelerating. Why the changes or lack thereof? Let’s jump into it.

1. It’s Hard To Make Change When You Don’t Care

If the common passwords year after year are so bad and basic, then why do people keep using them? We have ideas on a few points.

  1. Lack of reasons why. Education can only get you so far and is only part of the problem. If consequences don’t personally affect people, at least in the workplace, then they don’t have the motivation to improve.
  2. People are busy and default to easy behaviors. Bad passwords are easier to remember. Furthermore, that same bad password is the same for other sites. The easier it is to remember and use, the easier it is to crack it.
  3. People use throwaway accounts for demos and opt-in bonuses. We’ll cover this more in the next section.
  4. Ignorance. In cases where people have consequences, they aren’t aware of them. People have more to lose than they think they do. We’ll cover this more in section 3.

2. There May Be A Large Number Of Throwaway Accounts

One reason to never beef up your password security is you create a lot of throwaway accounts. Remember the Adobe hack? There were many articles on the number of bad passwords used for people’s Adobe accounts.

What if part or most of the majority of people used throwaway accounts to sign up for the free software trial? Password security doesn’t matter here when you are trying to get perpetual free software.

Not to mention forums. There are many forums that have posts that rank in Google and require registration to either view the post or download whichever links are in the post. People won’t take forum accounts seriously when they never return after getting what they want.

3. People Have More To Lose Than They Think They Do

After the first 2 points, where we outline that people probably don’t care and use some online accounts as a means to an end, let’s shift gears to the person who uses their poorly protected accounts consistently.

For one, they think that they have nothing to hide. These same people lock their homes, cars, and other personal devices. They obviously do have something to hide, even though they have done nothing wrong. They just don’t realize how their online life integrates with their real life.

If this is your mindset, consider what would happen if you lost some of the accounts that you “barely use.” What would happen if you couldn’t log in to your email, social media, online storage (for photos, documents, and more), phone, or shopping accounts?

Now think about what it would be like to have no one to help you but the attacker. Now think about paying hundreds, even thousands of dollars, to regain access.

4. People Must Be Forced To Create A Strong Password

When you create a password or change your password on a website, you may have seen password requirements. These websites force you to use upper and lower case letters, numbers, and symbols. Furthermore, there is a length requirement.

Kind of a pain, right? These requirements are there for a reason. Without them, people will just use something in their head that’s easy to remember.

Website administrations and developers must enforce strong password security to help people make better decisions. Year after year, the common password analysis shows that people simply make poor choices when left to their own devices in the moment.

5. There Are Dictionaries For Nearly All Breaches

Password cracking isn’t just about brute forcing a password until it is cracked. Attackers have access to the same leaked records as researchers and build their own lists (or sometimes the same lists) of leaked passwords. In fact, common password lists account for nearly all breaches.

These lists and other phrases are assembled as dictionaries for carrying out account attacks. Attackers will not only use leaked terms and other common dictionary terms but they’ll also use common variations of these words using simple algorithms.

Remember how clever you thought you were by adding a number or a year at the end of your password when it came time to update? What about adding 1 for I, 3 for E, $ for S, and @ for a? Yeah, the attackers know this. You may be buying yourself some time, but you aren’t improving the security of your password as much as you think you are.

6. People Still Largely Haven’t Adopted Password Managers

Password managers are great services that assist in generating secure, random passwords for you based on your criteria. These passwords and other account information are kept in an encrypted vault, which you can access with a master password.

So instead of remembering 100s of passwords with ever increasing complexity requirements, you just need to remember 1. Just don’t lose that one since your account will not be recoverable.

Furthermore, these services are bolstered by additional features such as auto-sign-in, password syncing across multiple platforms, password breach notifications, and more.

Despite these offerings, people still haven’t largely adopted them yet. Their corporate culture may hold them back, or they simply revert to their normal password ways.

7. Password Advice Has Changed Very Little

SplashData and other security organizations published similar lists with similar advice year after year. You can probably repeat most of the best practice advice out there.

In case you can’t, it looks something like this:

  • Passwords should be 12 to 16 characters in length. Longer is better.
  • Consider using a passphrase instead of a password since this helps you easily meet your length requirement.
  • Use mixed characters, including upper and lower case letters, numbers, and symbols (special characters)
  • Use a different password for each account, online or offline.

If you would like to read more on how to create a more secure password, be sure to check out the article we wrote up for you.


Seven years, seven lessons? Nice. We didn’t plan it that way.

Naturally, if you find one of your passwords in a common password list or you receive an alert in a password manager, browser, or secure vault, then you should change the appropriate password immediately. Otherwise, you run the grave risk of identity theft. Your password will be at the front of the line to be cracked in less than a second.

On a broader scale, maybe we’re looking at the problem too logically. After all, in the personal finance space, people tend to get in financial trouble due to an emotional problem rather than a math problem.

Perhaps what we need is a change of culture in the security awareness space.

If you would like to see our coverage of the most common passwords lists, then check out the articles below.