I've been using SplashID, one of the password solutions from SplashData, for a very long time. As a customer, it was easy to find the company's list of bad passwords. I consider the list a tremendous public service because it is not created from casual observation but instead derived from a huge, five million item list of leaked passwords.
Alas, the list can be hard to find. The 2018 edition is here and I am in pursuit of the 2019 edition, which I will link when I find it. I have been in touch with SplashData, which graciously gave me permission to publish the 2019 list here. I've shortened it to 25 items; as soon as I get the link to the 2019 list you can see the full 100 items there.
Here are the top 25 most dangerous passwords in 2019:
Why does SplashData call these the "worst" passwords and why do I call them the most dangerous? Because the list above is compiled from a frequency analysis of that long list of leaked passwords. In other words, the most commonly used password in that leaked list is 12345. SplashData is the white hat in this case but the bad guys who get their hands on compromised data take these results and write their break-in code to use these passwords first, before they begin brute-force attacks.
I have spent quite a bit of time over the past few years advising my clients about the simple measures they can take to improve their personal security and I have always made SplashData's list a cornerstone of my pitch. It nevertheless appalls me to find some of the same horrible passwords at the very top of the list year after year. 12345? Really?
Unfortunately, really. In 2017 I discovered that one of my clients was using one of 2017's top 100 and, worse, extensively violating both golden rules of passwords - choosing good passwords and using a different password for every account, no matter how innocuous the account may seem.
SplashData's list also shines a beacon on what is clearly a serious problem with systems that allow such ridiculous passwords. My Web site content manager, SiteCommander, will not allow a user to choose any of the top 100 in SplashData's list. A few years ago that was not the case and my clients grumbled a bit about coming up with the stronger passwords needed to comply with the new, tougher rules I put in place. But shouldn't Amazon and your bank insist on heavy-duty credentials, too?
The big problem with good passwords, of course, is remembering them. That's why SplashData and others are in business - to provide you with the mechanism to remember all those passwords. You may not like the password 2b[#1^Q5*v71 because you can't possibly remember it, but SplashID can recall it for you.