UW–⁠Madison Information Technology
Connecting & supporting our digital campus
Trophy inscribed with "Worst"

The 25 worst passwords in 2019

Posted by DoIT News on February 18, 2020

This article was published on February 18, 2020 and has not been updated since. It remains published for archival purposes, but its subject matter may be out of date.

Here’s an easy task for today: make sure your passwords aren’t on this list. If they are, please change them today.

The 25 worst passwords in 2019

Here are the 25 passwords from SplashData’s top 50 list, along with their rank status relative to last year’s list.

  1. 123456 (unchanged)
  2. 123456789 (up 1)
  3. qwerty (up 6)
  4. password (down 2)
  5. 1234567 (up 2)
  6. 12345678 (down 2)
  7. 12345 (down 2)
  8. iloveyou (up 2)
  9. 111111 (down 3)
  10. 123123 (up 7)
  11. abc123 (up 4)
  12. qwerty123 (up 13)
  13. 1q2w3e4r (new)
  14. admin (down 2)
  15. qwertyuiop (new)
  16. 654321 (up 3)
  17. 555555 (new)
  18. lovely (new)
  19. 7777777 (new)
  20. welcome (down 7)
  21. 888888 (new)
  22. princess (down 11)
  23. dragon (new)
  24. password1 (unchanged)
  25. 123qwe (new)

What makes a good password?

Now that we’ve shown you what passwords not to use, let’s look at the password recommendations from the Office of Cybersecurity and see what makes a good password:

Passwords must:

  • Be at least 8 characters long when paired with multi-factor authentication (MFA) or at least 16 characters (i.e., a passphrase) when not paired with MFA.
  • Not occur in a list of commonly used or recently compromised passwords; contain a proper name, login ID, email address, initials, first name, middle name, or last name; or have the same character repeated more than four times in a row.
  • Be changed immediately if there is a reason to believe the account has been compromised.
  • Be kept private.
  • Be entered on a system at most thirty minutes after it has been unattended.

Additionally, we recommend that passwords:

  • Be unique for each account. To help with this, it is recommended you use a password manager.
  • Contain a mix of character types (i.e., uppercase, lowercase, numbers, and special characters).
  • Be changed periodically.
  • Only be given to more than one individual for shared accounts when it is necessary to share information resources and there is no practical way to provide each person or system a unique account to access those resources.
  • Be required to unlock laptops, mobile devices, and other systems located or used in public places. Also these devices should have very short time limits for locking, for example, as low as one  minute.

Want to update your NetID password?

Updated: February 27, 2020 to clarify the recommendation about passwords and screen locking.