One would think that, after years of exhortations, most people would know better than to use "password" or "12345" to protect their most sensitive data. Evidence suggests, however, that bad passwords are as popular now as they ever were, and the top 25 are trivially easy to guess.
An annual study has exposed 2015's worst passwords, and if you're using any of them for your accounts, now is as good a time as any to change it to something a little harder to guess.
Every January, SplashData, a Los Gatos, California-based password-management company, produces a study of the previous year's worst passwords. The company does not share its methodology unless you sift through a (free) eBook that it sends via e-mail, but the basics are easy enough to understand. The company shares 25 passwords that are so common and easily guessable as to be nearly worthless in practice.
If you read our previous reports, you won't be shocked that "123456" is still the most common dumb password, with "password" still occupying the No. 2 spot. The rest of the top 10 were similarly eye-rolling: "12345678," "qwerty," "12345," ""123456789," "football," "1234," "1234567" and "baseball," in that order. Suffice to say, don't use a linear string of numbers to protect your most sensitive data.
Other offenders from further down the list were equally uninspired, from "welcome" at 11, to "abc123" at 13, to "letmein" at 19 (a perennial favorite since the early days of the Interwebs). Of more interest were some of the new entries, including "welcome," "login" and "1qaz2wsx." (The last one may seem clever until you realize that it's just the first two rows of keys tapped vertically.)
SplashData also drew attention to three relatively new entries: "princess," "solo" and "starwars." These passwords, seemingly inspired by a galaxy far, far away, may or may not persist on the list, since the popularity of Star Wars tends to wax and wane with film releases. Even so, it's probably safer to avoid simple Star Wars passwords for the moment. (Nowhere did "captainkirk1701" show up on the list, once again proving that the Star Trek franchise is superior.)
In case you've been silly enough to use one of the passwords on the list, SplashData does have a few commonsense recommendations: a password should be at least 12 characters long, and use a mix of numbers and upper- and lower-case letters. Don't use the same password for multiple sites, and if you have a ton of passwords, use a password manager to keep them straight.
SplashData recommends its own password-management program, SplashID, but there are plenty of other good ones on the market.