Top 10 Bad Passwords

• Facebook
• Twitter
• LinkedIn

LOS GATOS, Calif. -- If you use the number sequence "123456" as a password for anything important like a debit card or email log-in, it may be time to rethink that. And don't switch to "football" or any other sports term either.

SplashData, a password management firm, last month announced its annual list of the 25 most common passwords found on the Internet, a finding that makes them the "Worst Passwords" because they expose anyone to being hacked or having their identities stolen.

In its February cover story, CSP magazine examined the common mistakes c-store retailers make with regards to data security, with weak passwords coming up in several interviews as being a prevalent concern.

Here are SplashData's "Worst Passwords of 2014" and the difference in rank between 2013 and last year (rank and change from 2013):

1. 123456  (no change)
2. password (no change)
3. 12345 (up 17)
4. 12345678 (down 1)
5. qwerty (down 1)
6. 123456789 (no change)
7. 1234 (up 9)
8. baseball (new)
9. dragon (new)
10. football (new)

In its fourth annual report, compiled from more than 3.3 million leaked passwords during the year, "123456" and "password" continue to hold the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include "qwerty," "dragon" and "football."

As in past lists, simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only.

Passwords appearing for the first time on SplashData's list include "696969" and "batman."

While Valentine's Day is just around the corner, "iloveyou" is one of the nine passwords from 2013 to fall off the 2014 list.

According to SplashData, the passwords evaluated for the 2014 list were mostly held by users in North America and Western Europe. In 2014, millions of passwords from Russian accounts were also leaked, but these passwords were not included in the analysis.

SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

"Passwords based on simple patterns on your keyboard remain popular despite how weak they are," said Morgan Slain, CEO of SplashData, Los Gatos, Calif. "Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure."

For example, users should avoid a sequence such as "qwertyuiop," which is the top row of letters on a standard keyboard, or "1qaz2wsx" which comprises the first two columns of numbers and letters on a keyboard.

Other tips from a review of this year's Worst Passwords list include:

• Don't use a favorite sport as your password--"baseball" and "football" are in top 10, and "hockey," "soccer" and "golfer" are in the top 100. Don't use a favorite team either, as "yankees," "eagles," "steelers," "rangers" and "lakers" are all in the top 100.
• Don't use birthdays or especially birth years--1989, 1990, 1991 and 1992 are all in the top 100.
• While baby-name books are popular for naming children, don't use them as sources for picking passwords. Common names such as "michael," "jennifer," "thomas," "jordan," "hunter," "michelle," "charlie," "andrew" and "daniel" are all in the top 50.
• Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands and film names.

This is the first year that SplashData has collaborated on the list with Mark Burnett, online security expert and author of "Perfect Passwords."

"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years," Burnett said. "The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."

SplashData releases its annual list in an effort to encourage the adoption of stronger passwords. Slain said, "As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.