We talk a lot about data security and protection, but oftentimes, all the security and data protection measures we implement don’t matter when the password used to access the systems is weak, obvious or otherwise hackable. 

The Best of the Worst 

In no particular order, here are our picks for the top 10 worst passwords you can use for any account: 

  1. 123456: Surprisingly, this is still the most common password on the Internet, as determined by its presence on lists of passwords stolen during data breaches. This one pretty much shows all the hallmarks of a terrible password — it’s easy to guess, it’s sequential, it’s short, and it doesn’t have any letters or special characters. And since it’s the most common password, it’s what a hacker or script will try first when trying to access an account. Just say no to this one, people! 
  2. 123457: A slightly sneakier version of “123456,” this password is just barely more secure because it skips from 5 to 7. Still, any script that uses brute force to try password after password won’t take long to come up with this simple combo. 
  3. 123456789: Shockingly, adding even more numbers to “123456” still will not make it secure enough. Seriously, just stop using numerical sequences. 
  4. Abc123!: This password is a great example of obeying the letter of the law but not the spirit. More than six characters long? Check! Contains letters, numbers, a special character and a capital letter? Check! Difficult to guess? Epic fail! 
  5. PasswordThis may have been a clever password 10 or 15 years ago, and to middle school students it still is! However, in the real world it has long since outlived its usefulness, and it’s another option at the top of the list when hackers try to break into an account. And don’t try any cute variations like “Passw0rd1!” either. Using “password” as your base word is still an invitation to get hacked. 
  6. Admin: “Admin” is an especially heinous password because it is often the default administrator password for new systems and accounts. If you don’t bother changing it, you might as well be inviting hackers to access your privileged accounts! 
  7. Football: Wow, you like football? So do more than 17 million other TV viewers. If you must incorporate a hobby or interest in your password, choose one that’s at least uncommon and includes more than just the word itself. 
  8. Batman: See above. Let the Dark Knight stick to protecting Gotham City rather than your online accounts. 
  9. Princess: Is this referring to you, or a “princess” in your life? Either way, a common dictionary word isn’t strong enough to protect any account. And don’t send a “dragon” or “hero” to rescue this one; those are also super common password root words that will get you hacked. 
  10. Anything involving your personal information: While a password that includes your birthday or your pets’ or kids’ names might be easy to remember, this kind of information is very easy to obtain online from a social media profile, for example. Anyone trying to access an account that they know belongs to you can use this information to significantly narrow down their possible password list. Surely you can find a better tribute to little Billy than your password! 

Password Best Practices 

Even though many sources want the password to die so it can be replaced with more secure authentication methods like biometrics, they are so embedded in our access methodology today that their disappearance is a long way off. We still need good passwords as a first line of defense even for accounts that use two-factor authentication, so be sure to follow best practices when creating and managing yours: 

  • Use strong passwords that are statements or strings of words, or that include a mix of letters, numbers and special characters.
  • Choose a password that is at least eight characters long.
  • Use unique passwords for each site, or at the very least, each site that you care about. So don’t use the same password for Spotify and PayPal!
  • To keep track of all your unique passwords, use a password manager with a highly secure password, and preferably, two-factor authentication, to log in.