OK, admit it, you’ve probably used a simple and easily hackable password on at least one occasion in your online life. The temptation to create a quick password that’s easy to type and remember is a strong one.

That may explain why so many people still use bad passwords even when they know better. And that may also explain why “123456” has once again claimed the throne as the worst password of the year, according to SplashData’s Annual Worst Passwords List.

SEE: Password Policy (TechRepublic Premium)

Eyeing the passwords that made the grade, or rather failed the grade, “123456” was the worst one for the second year in a row. “123456789” took second place, rising from third last year.

In the No. 3 spot was “qwerty,” up six spots from last year. In fourth place was “password,” which actually dropped two spots from last year. And coming in fifth was “1234567,” up two spots from last year.

Other passwords that made the top 10 were “12345678,” “12345,” “iloveyou,” “111111,” and “123123,” a sign that people can’t seem to resist creating weak passwords via the number keys on their keyboards.

A couple of new entries in the list were “1q2w3e4r” and “qwertyuiop,” which follow the tendency to use contiguous keys on the keyboard to fashion a password.

Although many computer programs now prevent users from creating simple passwords, older programs and some websites still let people create weak passwords that are easily hackable.

Of course, devising a password remains one of the most challenging and frustrating tasks for many technology users. Designing a password that’s complex and secure but easy to remember seems like an exercise in futility, especially when experts advise us to use a different password for each site.

To save time and frustration, too many people simply concoct a password based on easily guessable phrases and obvious alphanumeric keys.

Almost 10% of people have used at least one of the 25 worst passwords on this year’s list, according to SplashData, while nearly 3% have used the worst password “123456.” The more than five million leaked passwords that made the 2019 list were used mostly by people in North America and western Europe. Passwords hacked from adult websites were not included in the report.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off,” SplashData CEO Morgan Slain said in a press release. “We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.”

To strengthen your passwords, SplashData offers the following advice:

  1. Use passphrases of 12 characters or more with mixed types of characters. This is a solid recommendation as passphrases can be easier to remember than complex passwords and provide equal or greater security.
  2. Use a different password for each of your logins. If one of your passwords is compromised, a hacker won’t be able to use it to access other sites and accounts. This advice is easier said than done if you use complex passwords that are difficult to remember. But if you turn to passphrases, using a different one at each site may be more doable.
  3. Protect your assets and identity by using a password manager. A password manager can generate secure and random passwords and automatically log you into websites. Some people may question the security of password managers, especially ones that are unlocked with just a master password and store your data online, albeit in an encrypted format. But until passwords become a relic of the past, a good password manager is your best bet, especially if you have to juggle hundreds of different passwords.

To SplashData’s advice, I would add the following:
Take advantage of other authentication methods beyond your passwords. Use two-factor authentication with apps and websites that support it. Use fingerprint and facial recognition and other biometric technologies to better protect your computers, mobile phones, and other devices. And use browser plug-ins and other tools such as Google Chrome’s Password Checkup and Firefox Monitor, which can alert you if your account has been part of a website breach.

designer491, Getty Images/iStockphoto