2017's worst passwordsYou can count on plenty of “top 10” lists to be circulated during the transition from one year to another, naming everything from the best movies to the top tweets heard around the world during the previous year. Another list that we’ve come to both love and hate is the annual compilation of the worst passwords put together by SplashData. Loved because it gives us a chance to talk about one of our favorite topics, password security, and hated because although we have high hopes for the citizens of the Internet, every year those hopes are dashed when we see the kinds of passwords being used by millions of people out there.

While a password that is as easy to type as it is to remember might save you a few minutes when you’re signing into your email account or accessing Netflix from a friend’s couch, that kind of convenience will do you no favors if some cybercriminal decides to try taking a crack at your online accounts. Here’s what you need to know about 2017’s worst passwords and couple of tips for how you can do better with your passwords to enhance your cybersecurity in the year to come.

Just how bad can the worst passwords actually be?

We’ll let you decide for yourself — here are the top 10 worst passwords from 2017:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou

And who said creativity was dead? Other notable passwords that made the full list of 100 (please note that this list includes some explicit language) include pop culture references like “starwars,” which debuted on the list for the first time ever this year at No. 16, plenty of sports-related passwords to keep football company as well as some downright headdesk-worthy doozies like “admin,” “login” and “computer.”

Are these really people’s passwords?

Sad to say, yes, these are real passwords used by real people to protect their online accounts. SplashData gathers this information every year by compiling and analyzing databases of passwords that were leaked in data breaches and posted online by cybercriminals. This year’s list was generated from 5 million leaked passwords, not including the data from Yahoo’s massive 3-billion user breach. It’s important to note that while all the passwords used to create this year’s list were gathered from information leaked in 2017, that information isn’t necessarily all from this past year. Still, these compilations year to year are made up of passwords from accounts that were cracked or compromised, making it a good show of what not to do when creating a password — no matter what the password is meant to protect.

What you can learn from 2017’s worst passwords

Your clever single-word password isn’t fooling anyone

While you might think you’re being clever when you drop a letter from a common phrase, like those who used No. 80’s “passwor” or make a simple switcheroo like No. 19’s “passw0rd,” that’s not enough to fool even the least experienced hacker (or their computer programs). If you’re determined to use your creative flair when creating new passwords, that’s great, but make sure that you’re incorporating all the bells and whistles. Instead of “Metallica” as your password, honor your favorite rock legends and get creative with something like, “Nt3r $@ndmAn.” Swap out letters for special characters and numerals, drop parts of a sentence or phrase to keep it even more unique and don’t be shy about hitting the space bar.

Convenience shouldn’t trump security

Most of the top 10 worst passwords have one thing in common: they take absolutely zero effort to type or think about. Half are strings of ascending numbers, and “qwerty” is what you get when you type the letters at the top of most computer and mobile keyboards, which leads to the obvious conclusion that people using them simply typed in a quick string of numbers or letters to satisfy the password character requirements without a second thought to security. Many of the others are common words or phrases, including people’s names (a plethora of first names like Andrew, Daniel and Andrea made the top 100), sports references and even a few colorful insults. We were absolutely appalled to see that 1989, 1990, 1991 and 1992 were on the list by themselves — it’s bad enough to use your full birth date, but a year on its own provides even less protection.

In general, it’s a good rule of thumb to steer clear of using anything that’s easy to guess about yourself in your passwords or security questions. If password fatigue is getting the best of you and you’re finding yourself tempted to use simple passwords or repeat the same one for every site, then your best bet is to use a password manager. These tools not only store your username and passwords, auto-filling them when you visit a website so you don’t have to, but some even help you duck the password creation process by generating strong, secure, unique passwords for you. Read our guide to learn more about password managers and see if it’s a good solution for you.

Ready to learn more about cybersecurity? Dive into our technology blog for the latest news and advice on protecting yourself in the Digital Age.