Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

These are the Worst Passwords of 2018

by Suzanne Kantra on December 14, 2018

As the year comes to a close, a lot of us are thinking back on the year that was… but are have you bothered to consider your 2018 passwords?

A good password will keep your online accounts safe, from your bank account to your Amazon account. But even though we know we should create secure passwords, a lot of us don’t. Complex, unique passwords can be a nuisance to remember (especially since security experts recommend using a different password for every site), and it’s easier to skip the headache and go with something simple.

However, SplashData’s list of the worst passwords of 2018 — which was compiled from the millions of passwords that were hacked this year —suggests plenty of people aren’t making much effort to create secure passwords. The top five passwords don’t vary much from year to year… which means people keep using the same predictable passwords, which make it easy for anyone to get into their accounts. Here are this year’s top 25 passwords:

  1. 123456 (unchanged)
  2. password (unchanged)
  3. 123456789 (up 3)
  4. 12345678 (down 1)
  5. 12345 (unchanged)
  6. 111111 (new)
  7. 1234567 (up 1)
  8. sunshine (new)
  9. qwerty (down 5)
  10. iloveyou (unchanged)
  11. princess (new)
  12. admin (down 1)
  13. welcome (down 1)
  14. 666666 (new)
  15. abc123 (unchanged)
  16. football (down 7)
  17. 123123 (unchanged)
  18. Monkey (down 5)
  19. 654321 (new)
  20. !@#$%^&* (new)
  21. Charlie (new)
  22. aa123456 (new)
  23. donald (new)
  24. password1 (new)
  25. qwerty123 (new)

Even if you aren’t a security pro, you can probably see a problem here. Seven of those passwords are simply a straight row of characters across the keyboard (presumably to whatever number of characters a particular password requires). And they aren’t the only patterns on the list: “111111” and “666666” are even lazier. Then there’s the perennial “password,” which is certainly easy to remember — but it’s also the first password any hacker will try. A variation on this basic password is also inevitably on the worst passwords list: “password1” may be a little more complicated than the simple “password,” but it isn’t much better. If “password” is a hacker’s first guess, this will be the second.

Even worse, “123456” and “password” have made the top two spots on the worst passwords list for six years in a row. That implies that not only are these lousy passwords getting used, but they keep getting used.

New to the list this year was “donald,” debuting in the #23 slot. And while it’s a bit better than “password,” setting your password to the name of the president still isn’t very secure.

So how can you keep your online accounts — and thus your personal information — safe? The first step is making sure none of your none of your password are on SplashData's worst passwords of the year list. If you are, you should log on and change them immediately. Then make sure you’re creating a strong password. A good password needs to:

  • Have least 8 characters.
  • Include capital letters, numbers, and ASCII characters.
  • Not follow any pattern, like “123456” or “121212.”
  • Not use a dictionary word, common phrase, a movie name or anything similar. (Sorry, Star Wars fans, but you shouldn’t express your enthusiasm in your password.)
  • Not include your name or significant dates, like your birthday or anniversary. Names are a common feature on the worst password list, and using this kind of personal information makes your password very easy to guess.
  • Never be used across multiple sites, which means that when one site is hacked, all of your passwords are compromised.

If sites support it, you should also use two-factor authentication, which requires both a password and a randomly generated code, which is typically displayed in an app or texted to you whenever you log on. Even if a hacker has your password, they won’t have that random code and therefore won’t be able to get into your account. While not every site offers two-factor authentication, most sites containing sensitive personal information will, including most banking sites. If you aren’t sure whether your favorite website supports two-factor authentication, search the Two Factor Auth List to find out.

 Now the next question: how can you remember all of these unique, complicated passwords? We recommend that everyone use a password manager. These secure apps will store your passwords — though you have to remember to add them, first — and require a login to access them. Many are apps that run on your phone, but you’ll also find PC and web-based password managers. 

So why not make a New Year’s resolution to improve your passwords? Using good passwords isn’t as hard as you think — and it will help you avoid the headache of hacks throughout 2019.

[Image credit: password on sticky note via Shutterstock]


Computer Safety & Support, News, Computers and Software, Blog, Privacy

Discussion loading


From Kathy Hughes on December 14, 2018 :: 2:29 pm

Does using a keyboard with different lettering do any good?
Like Greek, or Arabic, or Comic?



From cat on December 14, 2018 :: 3:01 pm

thoughts on using chrome as password manager? they have recently begun suggesting strong passwords for sites. Obviously, you’d need a good strong password to log into chrome!



From Josh Kirschner on December 18, 2018 :: 9:55 am

Google has continued to upgrade the Chrome password manager, and it now offers many of the same features as the paid ones (such as automatically suggesting secure, unique passwords). However, since it is integrated with Chrome, any logins you have outside of Chrome (like Netflix apps on your phone) wouldn’t be filled, though you could always add those into Chrome for reference. And, of course, it’s vitally important to have a strong password for Chrome, itself, along with two-factor authentication.



From Franck Einstein on December 17, 2018 :: 3:07 pm

A method to keep in your memory as many passwords as you want without problems
1/ Take any serie of letters-numbers that for some reason you have never forgotten e.g. the name and the date of birth of your first love, the plate of your first car, the name of your first teacher and the year you started school anything goes if it’s something engraved in your memory since a very longtime. I take the name of my first teacher, a Ms Krivanek and I started school in 1987.
2/ I use as a base « Krivanek1987 » and I rewrite it « kriv@neKI9&7 », one can use any rule of transposition one wants, preferably not too complicated.
3/ put this expression in front of the name of the site needing a password. Thus my password for
-Yahoo is kriv@neKI9&7Yahoo;
- Gmail is kriv@neKI9&7Gmail;
- Facebook is kriv@neKI9&7Facebook;
- etc.
4/ what you get is a password of military strength which is different for each site needing one
5/ it’s up to your creativity to invent variations on this method. One may use a nickname for the site to be protected if you use one, for me Facebook is F(censored)book, Instagram reduced to Insta. One may too cut kriv@neKI9&7 in two and use the two parts: one to precede the sites name and the other being appended and add some signs before it to have something easier to read. So kriv@neKI9&7Yahoo; may become kriv@neK_Yahoo_I9&7, etc.
6/ The most important is to remember the invariant part of the password and the way to construct the final password and without effort you have in your head as many passwords as you want, no more necessary to note somewhere your passwords and no need to use a password manager, you are the password manager.



From Oscarphone on December 27, 2018 :: 1:48 pm

Most people are basically idiots about security and lazy. A bad combination for any kind of password creation. I still deal with clients that don’t even write the damn things down! And then they call me when they are locked out. The answer is always the same: “Click on ‘Forgot password?’” Unfortunately the people that need to read this article aren’t subscribers so they’ll never see it. I may send it around however. Every little bit helps.


Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.