The 100 worst passwords of 2018 revealed

'123456' and 'password' are still top of the list, but new entries like 'donald' suggest we're still not cyber secure

list of poor passwords on notepad

The weakest link in cybersecurity is still humans, it would seem, as the annual list of 100 worst passwords has highlighted just how complacent some of us are.

Compiled by software company SplashData, the list is based on 5 million leaked passwords from various data sources around the internet. Predictably, the worst offender for the fifth year running, appearing the most on leaked datasets, was '123456'.

Advertisement - Article continues below

Unfortunately, 'password' came in 2nd, with variations of it like 'pasw0rd' and 'password1' all making the top 30.

From 100 to one there are different variations and expansions of the number one password, such as '123123', '654321', '123456789', and other simple number strings that follow familiar patterns. There's also a running theme throughout that suggests a rather lazy approach to cybersecurity, with many passwords consisting of just one digit used repeatedly, like '111111' and the rather devilish '666666'.

'Football' is still one of the most commonly used passwords on the internet, coming in at 16

A new entry for the year was 'donald', which has become so popular that it's the 23rd most frequently used password on the list. This was one of 11 new entries to make the top 25, all of which, like the rest of the list, fail to take into account basics. Users are regularly urged to use solid password should be unique, about eight to ten characters long and contain a mix of numbers and lower and upper case numbers.

Advertisement - Article continues below
Advertisement - Article continues below

As so many of these simple passwords are continuing to see use, Jake Moore, a cybersecurity expert at ESET, believes that websites could do more to help us.

"With over 925 million cyber-attacks in September 2018 alone, I think it's fair to say everyone needs to up their password game in 2019 and think more carefully about online security," he said.

"However, this needn't just be a dig at the account holders, websites need to ban simple and overused passwords. At the risk of upsetting convenience, being forced to use a complex password will help shed light on the subject and over time build confidence. Using a password manager is a great way to start and they will help out if you're ever stuck for thinking up a complex strong and unique password."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020