The Los Gatos, Calif.-based cybersecurity firm SplashData's fifth annual "Worst Passwords List" report revealed people continue to put themselves at risk for data breaches and identity theft by using weak, guessable passwords.
Like last year, the most commonly used passwords were "123456" and "password," according to the report, which highlighted the highly insecure password habits of Internet users.
For the report, SplashData compiled more than two million leaked passwords from 2015. Several new, longer passwords made their debut, perhaps revealing an effort by both website managers and web users to increase security. SplashData noted since the longer passwords remained simple, their extra lengths were virtually worthless as a security measure.
For example, "1234567890," "1qaz2wsx" and "qwertyuiop" (character combinations that appear next to each other on a standard keyboard) all appeared in the top 25 list for the first time. Each is based on simple patterns that hackers could easily guess.
As in past years' lists, simple numerical passwords remain common, with six of the top 10 passwords on the 2015 list containing numbers only.
Sports also remained a popular password theme. While baseball might be as American as apple pie, "football" trumped it as a popular password. Both words appeared in SplashData's top 10 list, with "football" climbing three spots to number seven and "baseball" dropping two spots to number 10.
When it comes to movies and pop culture, the Force might be able to protect the Jedi, but it won't secure users who chose popular Star Wars terms such as "starwars," "solo" and "princess" as their passwords. All three terms made new appearances on the 2015 list.
Other passwords on the 2015 list that did not appear on the 2014 list included "welcome," "login" and "passw0rd."
SplashData, a provider of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords to improve Internet security. According to SplashData, users in North America and Western Europe mostly held the passwords evaluated for the 2015 list.
"We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns, they will put you in just as much risk of having your identity stolen by hackers," Morgan Slain, CEO of SplashData, said. "As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites."
SplashData offered three tips to help people protect themselves: Use passwords or passphrases containing 12 characters or more and a mixture of characters; avoid using the same password repeatedly on different websites; and use a password manager, such as SplashID, to organize and protect passwords, generate random passwords and automatically log into websites.
Below are SplashData's worst passwords of 2015:
- 123456
- Password
- 12345678
- Qwerty
- 12345
- 123456789
- Football
- 1234
- 1234567
- Baseball
- Welcome
- 1234567890
- abc12
- 111111
- 1qaz2wsx
- Dragon
- Master
- Monkey
- Letmein
- Login
- Princess
- Qwertyuiop
- 23
- passw0rd
- starwars
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
