'Starwars' Debuts on List of Worst Passwords of 2017

Many of the old standbys made this year's list of the 25 stolen - and weakest - passwords found dumped online.

Once again, the top two worst and most popular passwords of the year were "123456" and "Password." But one of the newest most commonly found compromised passwords this year was "starwars" at #16.

The 2017 Worst Passwords list, drawn from more than five million stolen and passwords found online and in plain text by researchers at password management firm SplashData, represents mostly credentials from users in North America and Western Europe. The list, now in its seventh year, doesn't include credentials exposed in the Yahoo breach, nor from compromised adult websites.

"Starwars," an apparent homage to the wildly popular Star Wars movie franchise, actually beat out the infamous "passw0rd," which came in at #17.

Morgan Slain, CEO of SplashData, says his firm basically scrapes Pastebin and other online lists for exposed passwords. "We don't buy or decrypt any lists" of stolen credentials," he says.

Some of the other usual suspects hit the top ten once again, including "12345678," "qwerty," and "football," and newcomers to the top spots include the slightly longer yet still uncreative "123456789" (#6), "letmein" (#7), and "iloveyou" (#10).

"Over time, people still don't seem to be adopting better password hygiene," Slain says. "This [list] is to encourage people to take passwords more seriously and realize how sharing passwords or using the same one can expose you to risk."

What was obvious once again with this year's list is how passwords often reflect a user's interests, he says. "If you go through the list, you can see what's relevant to people … often people's names and pets' names, and a lot of popular culture."

According to SplashData,  about 10% of users have employed at least one of the top 15 worst passwords on the 2017 list, while 3% have chosen the infamous number one password, "123456."

While Slain says his company can't definitively discern when the exposed passwords were created, some are years old, he says.

But a new survey of 1,000 Americans by Visa shows that consumers are getting a bit weary of the password drill: 70% of the respondents consider biometrics simpler than passwords, and some 46% believe biometric authentication is more secure. Close to one-third have used fingerprint authentication on one or two occasions, while 35% do so on a regular basis. Half consider the big selling point of biometrics is no longer having to remember multiple passwords.

The catch, notes SplashData's Slain, is that with Apple's biometric options, for instance, you still have a password for your device. "When you update your device, you have to use the password behind the Touch ID, and if you haven't used the password in ages because you're using a fingerprint or" facial recognition, it's harder to recall the password, he says.

SplashData recommends that users set up passphrases of 12 characters or more, with upper- and lower-case letters, and a mix of characters, and avoiding password reuse among multiple online accounts.

Table 1: Top Worst Passwords of 2017

Rank     Password
1     123456
2     Password
3     12345678
4     qwerty
5     12345
6     123456789
7     letmein
8     1234567
9     football
10     iloveyou
11     admin
12     welcome
13     monkey
14     login
15     abc123
16     starwars
17     123123
18     dragon
19     passw0rd
20     master
21     hello
22     freedom
23     whatever
24     qazwsx
25     trustno1
Source: SplashData