Is Your Password on the Naughty List?

Category: Security

The 8th annual list of The Worst Passwords is out, and I hope none of your passwords is on it. To make this list, security software firm SplashData examines millions of passwords that were leaked in data breaches throughout the year, ranking passwords on their frequency of occurrence and security weakness. In other words, the passwords on this list are both commonly used and easily hacked. Find out if your password is on the list, and learn how to beef up your password security...

The Most Popular (and WORST) Passwords

SplashData's list of the 100 Worst Passwords for 2018 is actually a fun read, punctuated with some humorous graphics that underscore the reason why some passwords are particularly fool-hardy. The data comes from files of leaked and stolen passwords and user IDs, so SplashData is not telling bad guys anything they don’t already know. It’s very likely that all 100 of the Worst Passwords are among the first ones tried in simple attacks, where a hacker throws common passwords at a site until one of them works. These are easy pickings; if you use any of these passwords, you are far more likely to get hacked.

If you don't want to scroll through the list of all 100 terrible passwords, here are the 25 most common weak passwords for each year since 2011. For the fifth year in a row, the top two Worst Passwords are “password” and “123456.” They epitomize the first two “don’ts” of password selection: don’t use an obvious word or pattern of keystrokes. Other examples include names (“charlie,” “donald”) and keyboard patterns (“qwerty” and “!@#$%^&*”). Names of sports teams (“Lakers,” “Redskins”) are also lame.

Even simple combinations of letters and symbols like “password1” or “qwerty123” don’t make strong passwords, although many sites will tell you they are strong. The pattern or root word is too obvious. It's also a bad idea to reuse passwords across multiple online accounts. If one is breached, all are exposed. You might chuckle at some of these ill-considered passwords, and wonder why you should care if "stupid people" have easily hacked online accounts.

Splashdata worst passwords of 2018

Here's why -- the people who use these lame passwords are not harmless idiots. They are serious threats to the security of the entire Internet. Any compromised, connected computer or online account can and will be used to spread spam, malware, and other mischief to thousands of others. It’s tempting to think of the idiots’ own suffering (ID theft, financial fraud, data loss, etc.) as karma. But instead, let's take pity and share some information about how to avoid those perils.

Use a Password Manager to Generate, Save and Recall Your Login Credentials

There is absolutely no excuse for weak passwords anymore. Commercial password manager software such as Roboform, Lastpass, and Dashlane take the work out of creating and using long, strong passwords. Dashlane even has a feature that will change the passwords on multiple sites with just a few keystrokes; it’s good practice to change passwords on a regular basis.

I am liking Google Chrome’s recent upgrades to its (free) built-in password manager. When registering at a new site, Chrome can suggest a long, strong password; one click, and it is applied to your new account and saved to your passwords vault at To access your saved passwords you will need to perform a task such as unlocking your phone or responding to an email. It’s a good, simple system that adds a lot of security to password management. You can learn more here.

Roboform, Dashlane, Lastpass and Chrome all store your passwords in the cloud, with strong encryption, to enable access to your saved credentials from any computer or mobile device. If you recoil at the thought of storing all your passwords in cloud storage, consider KeePass. Unlike purely cloud-based password managers, KeePass will store your encrypted password vault where you tell it to. That could be on a local hard drive, a USB flash drive, or even in the cloud if you need to sync across desktop and mobile. Keepass is free, but not as user friendly and full-featured as the paid options I listed above.

Every now and then, you should review your saved passwords to see if there are any online accounts you no longer use. Go to the site(s) and delete or close such inactive accounts. The fewer opportunities to hack you, the better.

How do you handle passwords? Don’t give away any family secrets, but I would like to know in general how you create and manage your passwords; feel free to share ideas in the comments below.

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 14 Dec 2018

For Fun: Buy Bob a Snickers.

Prev Article:
Is Facebook Logging Your Calls and Texts?

The Top Twenty
Next Article:
Landlines Will Be Obsolete in 3, 2, 1...

Most recent comments on "Is Your Password on the Naughty List?"

Posted by:

Piotr / Poland
26 Dec 2018

I use KeePass and have a policy of single / unique password per site. The only one I emblazed in my mind is my windows password, which took me some time to remember as they are too complicated for me to store in memory, I am no rain man :)

Now, the KeePass, as well as other password managers, has an option to remind you about changing password after a specified time like 3 months. I use that for most sensitive accounts like bank, Google, online shops and change to a new strong password once a month (most important accounts) or half year (least sensitive). For most sites like gaming accounts and messageboards I don't change them.

It is also good to check out once a while.

Posted by:

10 May 2019

A strong recommendation for KeePass from me — I have used it for years, all my passwords are randomly generated and are as strong as the sites allow.

I know only one password, that for my KeePass vault, and I have several copies of this vault in physically distinct places. The only problem with this policy is that I must update several copies to keep them up to date — but this is just a consequence of my belt-and-braces approach — I have never yet had to rely on any of the backup copies.

KeePass is free, simple to use and, once you have set up all accounts to different strong passwords, requires little or no maintenance. Thereafter, if a password database online were to be hacked, there is no threat to any other account. I can log into almost any site with two clicks from my desktop. The password vault on a USB stick in my pocket (or indeed its clones elsewhere) will work on any operating system.

Secure, simple, fast, free, — it's a no-brainer!

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Is Your Password on the Naughty List? (Posted: 14 Dec 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved