The Most Common Passwords of 2016: Is One of Them Yours?

most common passwords

On January 13, password manager and digital vault Keeper announced on its blog that it had conducted a research study to find the most common passwords of 2016. They focused on 10 million passwords that were uncovered during several data breaches that occurred last year, although they did not include passwords that appeared only in just one breach.

image: NakedSecurity
image: NakedSecurity

The results were mind-blowing, to say the least. First of all, the top 25 list included common and easy-to-guess passwords, such as 123456 (which actually garnered the top spot) and its variations like 1234567, 12345678, 123456789, and 1234567890. “Qwerty”, “qwertyuiop”, “google”, and (worryingly enough) “password” also made the list.

Keeper reveals that the top 25 most common passwords account for more than 50 percent of the 10 million passwords that they studied. They also note that “123456” was used by 17 percent of users.

Why are these findings important?

When you glance at these findings, you might simply think that many people are not so creative with their password choices. However, it goes beyond creativity.

On a deeper level, the fact that these easy-to-remember-but-also-easy-to-crack passwords appear on the top 25 list means that a lot of people are at risk of identity theft and other cyber crimes. Despite repeated warnings from tech experts, millions of internet users are still using passwords that are not safe.

Sure, some users try to increase their safety by using “unique” passwords. This is evidenced by combinations such as “1q2w3e4r”, “1q2w3e4r5t”, and “123qwe”. Still, the fact that these passwords appear on Keeper’s top 25 list (rank 17, 22, and 23, respectively) mean that users’ efforts are not enough and that much stronger passwords are needed.

The study also reflects the fact that website operators are not taking their responsibility seriously. It can’t be denied that it’s the users’ responsibility to set unique and difficult-to-break passwords for their online accounts. However, operators also have the obligation to configure their websites in such a way that they won’t accept simple passwords. If these configurations are in place, users will have no choice but to come up with better and stronger passwords.

Do’s and Dont’s

What should you do if your passwords are on the top 25 list of most common passwords? Here are some guidelines you can use:


  • Change your password right away. In fact, even if your passwords are not on the top 25 list, it’s advisable to take this step if it’s been a long time since you’ve changed passwords (or if you haven’t changed them at all).

  • Come up with unique passwords. Use both upper-case and lower-case letters, as well as numbers and special characters.
  • Replace letters with numbers and special characters. This is one of the best techniques to create a unique password that you can still easily remember. For example, if you really want to use “password”, you can change it to “p455w0rd” then transform this into “p455\/\/0r!)”. It’s relatively stronger but still easy to remember since the numbers and special characters are visually similar to the corresponding letters. (Of course, using a word or phrase other than “password” is highly recommended!)
  • Use a different password for each website. This way, even if a hacker gets his hands on your password from a certain website, he won’t be able to use it to access your other online accounts. There’s a huge difference between someone getting into your BuzzFeed, Cosmopolitan, or Reddit account and someone getting into your online banking account.
  • Use a password manager. If you don’t want the hassle of creating strong passwords and remembering them, a password manager can do it for you.


  • Use common passwords (such as “qwerty” and “123456”) as well as their variations. As Keeper explains, dictionary-based cracking tools can quickly analyze these passwords in mere seconds. Even “zxcvbnm” might seem clever at first but is actually quite easy to crack — since it’s simply the lowest row of letters on a computer keyboard.
image: WebStruck
image: WebStruck
  • Use common personal details as your password, including your birthday, Social Security number, or vehicle license plate number. Hackers can look these up and use them to access your online accounts. Even non-numeral information, such as your favorite sports team or the name of your pet, should not be used. Hackers can follow you on social media, trawl through your posts, and use that info to access your accounts.
  • Write your passwords on a notebook or any other piece of paper. This can get easily misplaced or stolen and put your online accounts at risk.
image: Buffered
image: Buffered

Final Thoughts

Your password is one of the few things that protect your important information from hackers. Use it wisely to keep yourself safe from online attacks! Don’t use the most common passwords.