Revealed: 25 worst passwords of 2014 – is yours one of them?

‘123456’ and ‘password’ continue to top the list. (Shutterstock)

You don’t have to be Sherlock Holmes to realise that passwords are the key to your personal, work and financial information – and that only the trickiest ones will keep the average hacker from snooping around your social media, email and other online accounts.

That said, it is part frustrating and part entertaining to see how many of us continue to act juvenile and keep passwords like ‘123456’ and ‘password’, thinking we’re so smart to have ‘discovered’ these unique ones.

Well, there’s news for such people and others who think it’s a good idea to base passwords on their    favourite sport or sports team, or their birth year or even their children.

SplashData has announced its annual list of the 25 most common passwords found on the Internet – thus making them the “worst passwords” that will expose anybody to being hacked or having their identities stolen.

Compiled from more than 3.3 million leaked passwords during 2014, this is SplashData’s fourth annual report – and it shows that despite their being record number of hacking and stolen identity cases in 2014, some people will not learn.

Holding the top two spots that they have held each year since the first list in 2011 are ‘123456’ and ‘password’. You know what – ‘hackers welcome’ would have been a more secure password (please don’t use that now!).

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” says Mark Burnett, online security expert and author of ‘Perfect Passwords’.

This year, SplashData has collaborated on the list with Burnett, but maintains that, just like in previous years, simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only.

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are,” said Morgan Slain, CEO of SplashData. “Any password using numbers alone should be avoided, especially sequences.”

The other passwords in the Top 10 include ‘qwerty,’ ‘dragon,’ and ‘football.’ Really, qwerty? “As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure,” Slain said.

For example, users should avoid a sequence such as 'qwertyuiop', which is the top row of letters on a standard keyboard, or '1qaz2wsx', which comprises the first two ‘columns’ of numbers and letters on a keyboard.

To be fair, with a growing number of passwords to remember, users are hard-pressed to come up with unique ones for different accounts that they will remember. In addition, certain passwords – like those for bank accounts, etc. – have an expiry date and need to be necessarily changed after a predetermined period.

To top it, certain websites have the added restriction of not allowing the use of previously expired passwords, making the task even more difficult than it already is. However, it shouldn’t be too difficult to understand that the primary goal of all these exercises is to keep our accounts secure – and that by using passwords such as ‘trustno1’ or ‘letmein’, we’re actually inviting hackers to have a field day with our accounts.

“The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords,” says SplashData. Passwords appearing for the first time on SplashData’s list include (surprise, surprise) ‘superman’ and ‘batman.’

While Valentine’s Day is less than a month away, ‘iloveyou’ is one of the nine passwords from 2013 to fall off the 2014 list. That doesn’t mean that you’ll be a genius to now use that – it’ll still rank pretty high in the top 100 worst passwords list!

According to SplashData, provider of the SplashID line of password management applications, the passwords evaluated for the 2014 list were mostly held by users in North America and Western Europe. In 2014, millions of passwords from Russian accounts were also leaked, but these passwords were not included in the analysis.

SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

Other tips from a review of this year’s Worst Passwords List include:

·         Don’t use a favourite sport as your password – ‘baseball’ and ‘football’ are in top 10, and ‘hockey,’ ‘soccer’ and ‘golfer’ are in the top 100. Don’t use a favourite team either, as ‘yankees,’ ‘eagles,’ ‘steelers,’ ‘rangers,’ and ‘lakers’ are all in the top 100.

·         Don’t use your birthday or especially just your birth year – 1989, 1990, 1991, and 1992 are all in the top 100.

·         While baby name books are popular for naming children, don’t use them as sources for picking passwords. Common names such as ‘michael,’ ‘jennifer,’ ‘thomas,’ ‘jordan,’ ‘hunter,’ ‘michelle,’ ‘charlie,’ ‘andrew,’ and ‘daniel’ are all in the top 50.

Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.

“The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2 per cent of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies,” Burnett said.

SplashData releases its annual list in an effort to encourage the adoption of stronger passwords. “As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites,” says Slain.


The Worst Passwords of 2014 – and how they stack


123456 (Unchanged from 2013)


password (Unchanged)


12345 (Up 17)


12345678 (Down 1)


qwerty (Down 1)


1234567890 (Unchanged)


1234 (Up 9)


baseball (New)


dragon (New)


football (New)


1234567 (Down 4)


monkey (Up 5)


letmein (Up 1)


abc123 (Down 9)


111111 (Down 8)


mustang (New)


access (New)


shadow (Unchanged)


master (New)


michael (New)


superman (New)


696969 (New)


123123 (Down 12)


batman (New)


trustno1 (Down 1)

SplashData’s tips and tricks to be safer from hackers online:

1.    Use passwords of eight characters or more with mixed types of characters.

2.    Avoid using the same username/password combination for multiple websites.

3.    Use a password manager (such as SplashID) to organise and protect passwords, generate random passwords, and automatically log into websites.


Print Email