It’s time for SplashData to release its annual list of the most common passwords of 2016, but first, let’s start with a password list from Keeper Security.
Table of Contents
Most Common Passwords of 2016 by Keeper Security
The company analyzed over 10 million passwords publicly available before publishing a list of the 25 most common passwords of 2016. Keeper Security didn’t include leaked passwords if the breaches were announced that year but occurred before 2016.
- 123456
- 123456789
- qwerty
- 12345678
- 111111
- 1234567890
- 1234567
- password
- 123123
- 987654321
- qwertyuiop
- mynoob
- 123321
- 666666
- 18atcskd2w
- 7777777
- 1q2w3e4r
- 654321
- 555555
- 3rjs1la7qe
- 1q2w3e4r5t
- 123qwe
- zxcvbnm
- 1q2w3e
Of course, if your password is one of the passwords in this list (or any public list, for that matter), then you should change your password immediately!
Most Common Passwords of 2016 by SplashData
The 2016 edition of the 25 most common passwords made up more than 10% of the surveyed passwords, with the most common password of 2016, “123456”, making up 4%. Does this shock anyone anymore?
The numbers in parentheses denote the position change in the password list. New refers to a new position on the list, 0 refers to the same position (unchanged), positive numbers mean the entry has gone up, and finally, a negative number means the entry went down the list.
- 123456 (0)
- password (0)
- 12345 (2)
- 12345678 (-1)
- football (2)
- qwerty (-2)
- 1234567890 (5)
- 1234567 (1)
- princess (12)
- 1234 (-2)
- login (9)
- welcome (-1)
- solo (10)
- abc123 (-1)
- admin (New)
- 121212 (New)
- flower (New)
- passw0rd (6)
- dragon (-3)
- sunshine (New)
- master (-4)
- hottie (New)
- loveme (New)
- zaq1zaq1 (New)
- password1 (New)
Comparison of the Most Common Passwords from 2011 to 2016 by SplashData
Since 2011, SplashData has published a list of the 25 most common passwords each year. The list is based on data examined from millions of passwords leaked in data breaches, mostly in North America and Western Europe, year over year.
| Rank | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 |
|---|---|---|---|---|---|---|
| 1 | 123456 | 123456 | 123456 | 123456 | password | password |
| 2 | password | password | password | password | 123456 | 123456 |
| 3 | 12345 | 12345678 | 12345 | 12345678 | 12345678 | 12345678 |
| 4 | 12345678 | qwerty | 12345678 | qwerty | abc123 | qwerty |
| 5 | football | 12345 | qwerty | abc123 | qwerty | abc123 |
| 6 | qwerty | 123456789 | 123456789 | 123456789 | monkey | monkey |
| 7 | 1234567890 | football | 1234 | 111111 | letmein | 1234567 |
| 8 | 1234567 | 1234 | baseball | 1234567 | dragon | letmein |
| 9 | princess | 1234567 | dragon | iloveyou | 111111 | trustno1 |
| 10 | 1234 | baseball | football | adobe123 | baseball | dragon |
| 11 | login | welcome | 1234567 | 123123 | iloveyou | baseball |
| 12 | welcome | 1234567890 | monkey | admin | trustno1 | 111111 |
| 13 | solo | abc123 | letmein | 1234567890 | 1234567 | iloveyou |
| 14 | abc123 | 111111 | abc123 | letmein | sunshine | master |
| 15 | admin | 1qaz2wsx | 111111 | photoshop | master | sunshine |
| 16 | 121212 | dragon | mustang | 1234 | 123123 | ashley |
| 17 | flower | master | access | monkey | welcome | bailey |
| 18 | passw0rd | monkey | shadow | shadow | shadow | passw0rd |
| 19 | dragon | letmein | master | sunshine | ashley | shadow |
| 20 | sunshine | login | michael | 12345 | football | 123123 |
| 21 | master | princess | superman | password1 | jesus | 654321 |
| 22 | hottie | qwertyuiop | 696969 | princess | michael | superman |
| 23 | loveme | solo | 123123 | azerty | ninja | qazwsx |
| 24 | zaq1zaq1 | passw0rd | batman | trustno1 | mustang | michael |
| 25 | password1 | starwars | trustno1 | 0 | password1 | Football |
| Rank | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 |
Comparison of the Most Common Passwords from 2016 – Both Research Sources
| Rank | SplashData | Keeper |
|---|---|---|
| 1 | 123456 | 123456 |
| 2 | password | 12345679 |
| 3 | 12345 | qwerty |
| 4 | 12345678 | 12345678 |
| 5 | football | 111111 |
| 6 | qwerty | 1234567890 |
| 7 | 1234567890 | 1234567 |
| 8 | 1234567 | password |
| 9 | princess | 123123 |
| 10 | 1234 | 987654321 |
| 11 | login | qwertyuiop |
| 12 | welcome | mynoob |
| 13 | solo | 123321 |
| 14 | abc123 | 666666 |
| 15 | admin | 18atcskd2w |
| 16 | 121212 | 7777777 |
| 17 | flower | 1q2w3e4r |
| 18 | passw0rd | 654321 |
| 19 | dragon | 555555 |
| 20 | sunshine | 3rjs1la7qe |
| 21 | master | |
| 22 | hottie | 1q2w3e4r5t |
| 23 | loveme | 123qwe |
| 24 | zaq1zaq1 | zxcvbnm |
| 25 | password1 | 1q2w3e |
| Rank | SplashData | Keeper |
Most Common Passwords of 2016 Observations
Did you notice some seemingly “secure” passwords on the Keeper list like “18atcskd2w” and “3rjs1la7qe” and wondered why? The answer is potentially bots. Bots that spam countless sites, free email providers, forums, and more and use the same passwords. The goal is to set up dummy accounts to facilitate spam and phishing attacks.
The most popular password, making up nearly 17 percent of the 10 million passwords the company analyzed, was “123456.” This is also on the SplashData list. “Password” was also among the top 10 passwords.
Seven of the top 15 passwords are six characters or shorter, which means they are cracked in seconds (or less). Keeper Security advises users to select a password that’s more than 6 characters long and contain all variation of characters. It’s worth mentioning that many organizations have adopted 8 to 12 character requirements, as 6 characters just aren’t enough anymore.
“What really perplexed us is that so many website operators are not enforcing password security best practices,” he wrote. “While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.”
Darren Guccione, Keeper Security Co-founder and CEO
The company also suggests avoiding using single words found in the dictionary. Two of the most common password cracking techniques are dictionary cracks and brute force cracks. These attacks attempt to crack passwords by trying known passwords, single dictionary terms, and personal information like sports teams, family names, phone numbers, and birthdays.
As you see passwords on screen and on paper that read “1q2w3e4r” and “123qwe,” you know you found an attempt by users to create unpredictable passwords by using keyboard patterns. Unfortunately, these users only bought themselves a few seconds, as password crackers know to look for sequential key variations.
And finally, as you look through these password lists, you realize that little has changed year over year. In fact, little has changed over the last decade. Education is essential, but it isn’t everything. You need to set guardrails and enforce password complexity and history.
Additional Sources:
- 25 most common passwords in 2016 and how quickly they can be cracked by CSO Online
- The most common passwords of 2016 by VentureBeat
To compare against last year’s passwords, check out our previous Most Common Passwords of 2015 post.