Connect with us

Hi, what are you looking for?


Identity & Access

These Were the Most Common Passwords Used in 2016

Although weak and commonly used passwords have long been one of the most used venues to compromise accounts, they remain at the top of the most popular passwords charts, a recent Keeper Security report reveals.

Although weak and commonly used passwords have long been one of the most used venues to compromise accounts, they remain at the top of the most popular passwords charts, a recent Keeper Security report reveals.

Last year’s mega-breaches once again brought to the spotlight the long-lasting issue of weak passwords, but users remained deaf to security community’s cry for better password hygiene. By the end of the year, “123456” remained the most used password, as 17% of all users out there have been “safeguarding” their accounts with it.

List of most common Passwords

A series of massive data breaches made public last year demonstrated how important the use of strong, complex passwords is. These hacks included Dropbox (68 million accounts impacted), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), (43 million), and VK (170 million) in early summer, followed by Yahoo! (500 million) in September (the company revealed in December that one billion accounts were impacted in another incident).

If 2016 taught us anything is that the recipe for disastrous account security consists of a weak password and the reuse of this password on multiple services. Attacks on Carbonite, GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter have already proven that cybercriminals are aware of this practice and are quick to exploit it.

While companies such as Amazon and Microsoft were quick to react to the disturbing news, the former by prompting password resets for users whose accounts were compromised in other hacks and the latter by banning commonly used passwords from its services, users are still at risk, as most services fail to take stance and continue to allow users secure their accounts with weak, easily guessable passwords.

According to Keeper Security, the ten most used passwords in 2016 were:

1. 123456

Advertisement. Scroll to continue reading.

2. 123456789

3. qwerty

4. 12345678

5. 111111

6. 1234567890

7. 1234567

8. password

9. 123123

10. 987654321

Keeper Security’s report (PDF), which was compiled after the analysis of 10 million passwords, also reveals that the top 25 most popular passwords are used to secure over 50% of accounts. Some of these passwords are popular because they are used to secure accounts created by bots, but all of them can be cracked within seconds with the use of dictionary-based cracking tools.

Some users, the report reveals, attempt to secure their accounts by employing what they believe would be unpredictable patterns, such as “1q2w3e4r” and “123qwe,” but the wide-spread use of these passwords make them easily predictable as well. What users should do to ensure increased account security is to employ complex passwords and a password manager, so they can have a different password for each of their accounts.

“I can tell you for a fact that without a password manager nearly everyone I know re-uses passwords. Otherwise you have dozens if not hundreds of passwords you need to try and remember. Obviously that won’t work,” Rafal Los, Managing Director, Solutions R&D within the Office of the CISO for Optiv, notes in a SecurityWeek column.

He also points out that service providers shouldn’t focus on policies that force users to use complex passwords and maybe reset them often, but rather on building a good authentication hygiene to drive healthy behaviors in users.

“So, the problem to solve: rather than trying to figure out how complex you can make password requirements before your users revolt is how to maintain good authentication hygiene while driving healthy behaviors from your users. We’re going to be living with passwords for a very, very long time whether you want to admit it or not. Let’s address the root cause of the problems we’re seeing and start being seen as leaders,” Los says.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.