Epic Facepalm as "123456" Replaces "Password" as Most Common Password

The internet's most-used security keys are also its dumbest.


Recommendations are independently chosen by Reviewed’s editors. Purchases you make through our links may earn us a commission.

If you’re reading this, chances are you have some sort of online identity that you want to protect from the throngs of nefarious hackers who want to hijack your email or Twitter handle and plaster your contacts with ads for fat-burning miracle pills.

It seems a flimsy last line of defense against hackers, but until fingerprint- and eye-scanning technologies go mainstream, the good old alphanumeric password is all you’ve got. So please, avoid all of the combinations found on SplashData’s annual list of the internet’s 25 most common passwords.

This year, "password" fell one spot to No. 2. That might suggest people are getting the hint about web security, were it not for the fact that the new No. 1 most common password is "123456."

The list gets no more creative as it continues, with No. 3 being "12345678" and No. 4 "qwerty."


According to the report, this year’s list was compiled by examining the passwords unearthed in last year’s much-publicized Adobe security breach. Security firm Stricture Consulting Group deciphered and published the most common passwords used by Adobe customers, some of which include the obviously Adobe-specific "adobe123," "photoshop," and "adobe1."

"Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," said Morgan Slain, CEO of SplashData, in a statement.

Even with recent high-profile security breaches and the seemingly endless parade of password security warnings, it seems clear that users still prefer simplicity over absolute security when it comes to passwords. Twitter famously banned some 370 passwords back in 2009, some of which are dumb enough to make you laugh—like “stupid,” “internet,” and “twitter.” BlackBerry took a similar approach in 2012, banning 106 passwords.

Related content

SplashData endorses using random combinations of words that are easy for you to remember, but difficult for others to guess—something like "monkey_eel_carpet."

For its part, SplashData suggests a few simple tricks to create more hacker-proof passwords. Users should create passwords that are at least eight characters long and use a mix of letters, numbers, and other characters. SplashData also endorses using random combinations of words that are easy for you to remember, but difficult for others to guess—something like "monkey_eel_carpet."

Finally, you should avoid using the same password for multiple sites; never, for instance, should you use the same password for a banking site that you use for Netflix or Facebook. If you follow this advice, it could quickly become difficult to keep track of the myriad passwords you'll accumulate. For that reason, it's probably worth checking out the many password-management apps on the market.

But, whatever: Maybe soon we'll be able to access our online data with a saliva sample. Wouldn't that be cool?

Hero image: Flickr user "ronbennetts" (CC BY 2.0)

Up next