2016's worst passwordsAlthough 2017 is already in full swing, you may still be thinking of ways to better yourself in the new year. While it’s probably not at the top of your list, changing your password should be, especially since SplashData’s list of 2016’s worst passwords has been released. This annual password report provides an invaluable glimpse into the state of consumer cybersecurity. Each year, the firm publishes trends it finds among compromised passwords collected over the previous year. While some things never change – both “123456” and “password” topped this list again, as they have for many years – it’s still a good idea to go over these findings to glean as much insight into password security as possible. Here are the takeaways from the worst passwords of 2016.

Which passwords made this year’s list?

SplashData’s list includes variations of the popular “123456,” the No. 1 password on the list, like “12345678,” “1234567890” as well as “1234.” Other trends included a continued usage of pop culture references, especially Star Wars-related ones like “solo” and “princess.” Additionally, entirely new passwords like “hottie,” “loveme” and “flower” have emerged, as well as a new pattern-based password – “zaq1zaq1.” This password is patterned after the first column of lettered keys on the keyboard, starting with “Z” at the bottom left.

This year’s list also included passwords with what is known as leet transformations, a term created from the so-called leet or l33t speak that was popularized in early chat communities. These leet variants of popular passwords like “password” turn specific letters into numbers. For example “password” might be transformed into “passw0rd” with the 0 resembling the letter “O” or possibly into “pa55word” with the 5s resembling the letter “S.” Other leet transformations might use symbols like $, #, ! and @ to replace the letters they resemble (e.g., P@$sword). It should be noted that while more complicated leet transformations combined with a long password may make it stronger, when common leets are used with weak passwords, it has the opposite effect.

Why are strong passwords important?

As we’ve noted many times before, a strong password can protect your online accounts from hackers, which keeps your personal information safe from identity thieves. With the seemingly never-ending data breaches and hacks targeting both ordinary people as well as political figures, having a strong password is becoming even more important going forward, as anyone and everyone may be a target.

Things to remember when creating a password

When you’re creating (or updating) your passwords, there are a handful of things you should keep in mind:

1. Long alphanumeric combinations are essential. Passwords need to be sufficiently complex to work, which means you should ideally use long passwords (more than 8 to 10 characters) that combine letters, numbers and symbols. Most of the passwords on SplashData’s list fail not because they’re short or based on things people are familiar with, but because they’re not alphanumeric — they lack both letters and numbers. A smart combination of numbers, letters and symbols will go a long way in making your passwords stronger.

2. Leet isn’t neat. While alphanumeric passwords are great, not all are created equal. As such, it’s best to avoid the simple, aforementioned leet transformations, specifically for common phrases, names, places or for other details that can be easily guessed or researched on Google, like your spouse’s name. Other types of transformations, like adding numbers at the end of a common word or phrase (e.g., “password0172”), are equally as bad. As you can see from the list of bad passwords, simply changing some characters of a weak password will not make it a strong one, especially given the intimacy hacker communities have with leet speak and similar transformations. That said, leet transformations are less problematic if you end up using them for longer and more complex passwords that are harder to guess.

3. Passwords should never be reused. The most important piece of advice is to avoid using passwords that you’ve already used on another website or service — it just increases the likelihood of all your accounts getting hacked if one password is ever breached. You should also change passwords on your accounts fairly often, at least every six months or so. If you’re having difficulty coming up with unique passwords or keeping track of all of your strong passwords, you should consider a password manager, which can help you generate unique, strong passwords and acts as a virtual safe storing these passwords.

4. Enabling two-factor authentication just as important as a strong password. Nowadays, two-factor authentication (2FA) is just as important as having a strong password because it prevents anyone who doesn’t have physical access to a designated device, like your personal smartphone, from accessing your accounts. While you may think setting security questions is enough added protection for your online accounts, it may not be quite as much as you think. As such, it’s wise to also enable 2FA. Not all services offer 2FA, but the number who do is constantly increasing, which means if your bank or email provider doesn’t offer it right now, there’s a chance they will offer it soon.

To learn more about the various ways you can protect your accounts and identity online, keep reading our technology blog.