These are the latest world's worst passwords — don't use any of them

Passwords written on Post-It notes on a laptop computer keyboard.
(Image credit: m.jrn/Shutterstock)

We have sad news: The world's most-often used password is still "123456." 

This depressing statistic comes as a result of a study by Turkish researcher Ata Hakçıl, who analyzed more than 742 million passwords revealed in numerous data breaches over the past several years and posted his results on GitHub. Among those passwords, "123456" appears 5.3 million times, or in out of every 138 entries.

Of the 742 million entries, there were only 169 million unique passwords, which gives you an idea of how frequently we use obvious passwords. The most common 1,000 passwords were 6.6% of the total, and less that 9% of the passwords were found only once.

There was a little good news: The average length of the passwords was 9.48 characters, which means that all the nagging about creating longer passwords is paying off. 

By contrast, the median (if not mean) length in the famous RockYou data breach of 2009 was about 7 characters. (Hakçıl chose not to include the 32 million RockYou entries because they've been so widely studied.) 

UPDATE: We played with the RockYou statistics in this report from Imperva and came up with an average RockYou password length of roughly 7.41 characters.

Same old song

But that's still far outweighed by the bad news. The RockYou database's most-used password is also "123456." In fact, of the top 20 old RockYou passwords, entered between 2005 and 2009, seven are also in Hakçıl's brand-new Top 20 list: 123456, 12345, 123456789, iloveyou, 1234567, 12345678 and abc123. 

Two others came close but not quite, with "Password" and "Qwerty" appearing in the RockYou Top 20, but "password" and "qwerty" in Hakçıl's Top 20. (We're not sure why that occurred, but RockYou may have required the inclusion of upper-case letters at some point.) 

Only 12% of the passwords Hakçıl examined contained "special" characters, such as punctuation marks, that are found on common QWERTY keyboards but are not letters or numbers: ? < , > & ^ and so on. Including such characters goes a long way to beefing up a password's strength against password crackers.

By contrast, nearly 29% of the passwords were compromised of letters only, and more than 26% of the total were lowercase only. More than 13% consisted of only digits. 

In an indication of how people form passwords, more that 34% of passwords that mixed letters and numbers ended with the numbers — e.g. "qwerty123" — but only 4.5% started with the numbers.

Mystery pattern in the data

Hakçıl did find one surprising thing -- some 763,000 10-character passwords of gibberish that nevertheless followed a predictable pattern. 

"They all start and end with uppercase characters," Hakçıl wrote. "None of them seem to have a keyboard pattern or meaningful word in them" and "they don't contain special characters."

Even though the passwords appeared to be machine-generated, several of them appeared to have been reused, possibly indicating a flaw in a password-generation algorithm.

"I have no idea what this uncovers and what it implies, but I'm suspecting a password manager out there is creating passwords with low entropy, causing repetitions over a lot of users," Hakçıl wrote. "All the ideas about this are welcome and appreciated."

Hakçıl started with about 1 billion pairs of credentials (passwords and usernames), but had to toss out more than 257 million pairs for being either unreadable or obviously test accounts. 

How to create and manage passwords

To make sure to limit the extent of a data breach upon your account security, make sure that all of your passwords are long, strong and unique. 

Length is currently the most important factor, as a 20-character password of random lowercase letters has less chance of being "cracked" than a 12-character password made up of lowercase and uppercase letters, digits and punctuation marks and other special characters.

But ideally, you'd want a long password of at least 15 characters made of absolute gibberish containing all four types of characters found on a common QWERTY computer keyboard. 

To create and remember such passwords, and to make sure none of them is repeated, there's no better solution that to use one of the best password managers.

The 100 worst passwords of 2020

Here are the 100 most commonly passwords, according to Hakçıl's analysis. You shouldn't be using any of these for any of your accounts.

  1. 123456
  2. 123456789
  3. password
  4. qwerty
  5. 12345678
  6. 12345
  7. 123123
  8. 111111
  9. 1234
  10. 1234567890
  11. 1234567
  12. abc123
  13. 1q2w3e4r5t
  14. q1w2e3r4t5y6
  15. iloveyou
  16. 123
  17. 000000
  18. 123321
  19. 1q2w3e4r
  20. qwertyuiop
  21. 654321
  22. qwerty123
  23. 1qaz2wsx3edc
  24. password1
  25. 1qaz2wsx
  26. 666666
  27. dragon
  28. ashley
  29. princess
  30. 987654321
  31. 123qwe
  32. 159753
  33. monkey
  34. q1w2e3r4
  35. zxcvbnm
  36. 123123123
  37. asdfghjkl
  38. pokemon
  39. football
  40. killer
  41. 112233
  42. michael
  43. shadow
  44. 121212
  45. daniel
  46. asdasd
  47. qazwsx
  48. 1234qwer
  49. superman
  50. 123456a
  51. azerty
  52. qwe123
  53. master
  54. 7777777
  55. sunshine
  56. N0=Acc3ss
  57. 1q2w3e
  58. abcd1234
  59. 1234561
  60. computer
  61. f***you [censored -- the missing letters rhyme with "duck"]
  62. aaaaaa
  63. 555555
  64. asdfgh
  65. asd123
  66. baseball
  67. 0123456789
  68. charlie
  69. 123654
  70. qwer1234
  71. naruto
  72. a123456
  73. jessica
  74. soccer
  75. jordan
  76. liverpool
  77. thomas
  78. lol123
  79. michelle
  80. 123abc
  81. nicole
  82. 11111111
  83. starwars
  84. samsung
  85. 1111
  86. secret
  87. joshua
  88. 123456789a
  89. andrew
  90. 222222
  91. q1w2e3r4t5
  92. 147258369
  93. hunter
  94. Password
  95. qazwsxedc
  96. lovely
  97. 999999
  98. jennifer
  99. letmein
  100. tigger
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.