2016 Most Common Passwords Reveal Alarming Trends


Joseph Steinberg

Published on January 31, 2017


Last week, SplashData, a provider of password management technology, released its annual list of the most common passwords found among the millions made public through various breaches in the 2016. Below, I address some important lessons for information security professionals that emerge from the list. (Please note that in this piece I will not discuss the ethical questions related to utilizing stolen password data for the purpose of creating such a list.)

Here is the list of most common passwords from 2016:

• 123456

• password

• 12345

• 12345678

• football

• qwerty

• 1234567890

• 1234567

• princess

• 1234

• login

• welcome

• solo

• abc123

• admin

• 121212

• flower

• passw0rd

• dragon

• sunshine

• master

• hottie

• loveme

• zaq1zaq1

• password1

Important conclusions:

1) People are still picking weak passwords, and sites are letting them do so. If you do not force people to pick strong passwords, you should expect many to pick extremely poor passwords that are likely to be broken by password-cracking software within the first second of being run. Information on how to pick strong passwords that are easy to remember can be found in the article How to Create Strong Passwords that You Can Easily Remember.

2) Many of the passwords on the list have also appeared on the list in prior years – meaning that people have not only been using weak passwords in general for quite some time but they also continue to use specifically the passwords that were most commonly used at the breached sites. This creates a serious risk, as hackers are clearly likely to try those passwords early on when attempting to break into systems and accounts.

3) To some extent, even the weak passwords are getting weaker – last year, for example, “12345678” was more popular than” 12345” – but that is no longer the case. I say “to some extent,” because despite the theoretical improved strength of the longer password, every decent password checker is going to try both of these combinations within the first second of running. So both are ineffective; saying that one is stronger than the other is like comparing the value of a 1 inch bandage and a 2 inch bandage when someone will die without a tourniquet.

4) While “star wars” – which was on the list last year – dropped off the list this year, other Star-Wars-related passwords – “solo” and “princess” – moved up to much higher places on the list, reinforcing the problem that pop culture concepts become passwords. (“Princess” might be independent of Star Wars – but still connected to the culture.) Keep in mind that criminals know this as well – and some password cracking tools load in popular terms to try early on in the cracking process.

5) “Passw0rd” appeared on the list. Substituting a 0 for an o, a 1 for an l, a 4 for an h, etc. may add theoretical strength, but, because many password crackers are programmed to try these possibilities, the added theoretical strength may deliver very little extra security from a practical standpoint.

6) “admin” – which is a default login for various networking equipment – is a common password, making me wonder how many of the folks using this password are technically-savvy people.

7) 1234 is on the list – meaning that many sites still have password length requirements that are too short.

About the Author

The author is the CEO of SecureMySocial, a renowned cyber security thought leader, and author of several books on the topic, including (ISC)2’s official study guide for the CISSP-ISSMP exam. Recognized by Onalytica as one of the top cyber-security influencers in the world, he is also the inventor of several IT Security technologies widely-used today; his work is cited in over 100 published US patent filings. He is also one of only 28 people worldwide to hold the suite of advanced information-security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep.


... ...



Published on {{detail.created_at| date}} {{detail.duration}}

  • {{detail.date}}
  • Views {{detail.downloads}}
  • {{detail.time}} {{detail.time_zone_code}}



About the On-Demand Webinar

About the Webinar

Hosted By





About the E-book

View On-Demand Webinar

Register Now!

First Name*
Last Name*
Phone Number*

View On-Demand Webinar

Register Now!

Webinar Expired

Download the Ebook

{{ queryPhoneCode }}
Phone Number {{ detail.getCourseAgree?'*':'(optional)'}}

Show full article video

About the Author


About the Author