University of Wisconsin–Madison
Trophy with Thumbs Down Icon

Worst passwords of 2016

Here’s an easy task for today: Make sure your passwords aren’t on the list below. If they are, think about changing them now.

Security firm SplashData each year compiles a list of the worst passwords that are easy to break because of their commonality. This year’s list was drawn from over 5 million leaked emails. The passwords were mostly held by users in North America and Western Europe.

Before we take a look at the list, we’ll remind you that:

Now is a great time to update your password

  • Use at least 8 characters
  • Don’t use a word that’s in the dictionary
  • Don’t use your pet’s name or names of relatives
  • Use uppercase, lowercase, digits, and special characters
  • Consider creating a short sentence or passphrase using a combination of uppercase, lowercase, digits, and special characters – For example “Edl0ve$s@!l1ng”

Also, take a look at our Guide To Creating Strong Passwords.

Time it takes to steal your password

Password Length Upper and Lower Case Letters Upper and Lower Case Letters with Numbers Upper and Lower Case Letters, Numbers, and Special Characters
8 11 seconds 44 seconds 20 minutes
12 2 years 20 years 3,018 years
16 18,000,000 years 302,000,000 years
Note: For this exercise we used which only provides an estimate for the password useful life. There are many variables such as attack speed, lockout timers, forced password changes, etc.

The 25 worst passwords for 2016

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq12aq1
  25. password1

Worst passwords for 2015