Worst passwords of 2015: Star Wars references sneak onto list

Enough with "123456" already! SplashData's annual list of the worst passwords in use includes some old favorites and some new sci-fi-inspired phrases.

Please, don't use "qwerty" for a password.

Amanda Kooser/CNET

As much as I hate it when a website tells me my password needs to include 25 non-repeating letters in both capitals and lowercase, with at least nine special characters, my grandmother's maiden name and five numbers from a fictional language, I know the site at least has my safety and security in mind. But not every piece of technology requires such an unguessable code and tech users are still taking advantage of that fact by relying on absolutely awful passwords.

Security applications and services company SplashData on Tuesday released its annual list of the worst passwords. The 2015 edition bears a striking resemblance to the 2014 version, but there are some interesting new developments, including a leaning toward Star Wars.

As hard as it is to believe, "123456" once again tops the list, just like last year. The second slot is also unchanged and holds the truly terrible "password." The only marginally better "12345678" comes in third, and the lazy "qwerty" takes up the fourth position. Things don't really change much until we look at the seventh slot, which contains "football." The sporting pastime comes in above "baseball" at No. 10.

The bottom of the top-25 list is where things get really geeky. The password "solo" comes in at No. 23 and "starwars" debuts at No. 25. The word "princess" comes in at No. 21, but it's impossible to tell if it's wishful thinking or a reference to Princess Leia. None of these reached the heady heights of the mythical "dragon" at No. 16, a password that dropped seven spots since the 2014 list.

SplashData compiled the list based on more than 2 million passwords leaked during the last year, the majority of which come from North America and Western Europe.

The 2015 list includes some attempts at longer passwords, such as "1234567890" and "qwertyuiop." "The longer passwords are so simple as to make their extra length virtually worthless as a security measure," SplashData notes.

As usual, SplashData offers some helpful suggestions for strong passwords, which people who use "123456" will probably promptly ignore. Here are the tips: Have at least 12 characters with mixed types of characters. Use different passwords for different sites. Consider using a password manager to handle the hard work. (SplashData makes one of these, so you can see the marketing angle here.)

Here is the complete list:

1 - 123456 (unchanged from 2014)
2 - password (unchanged)
3 - 12345678 (up 1)
4 - qwerty (up 1)
5 - 12345 (down 2)
6 - 123456789 (unchanged)
7 - football (up 3)
8 - 1234 (down 1)
9 - 1234567 (up 2)
10 - baseball (down 2)
11 - welcome (new)
12 - 1234567890 (new)
13 - abc123 (up 1)
14 - 111111 (up 1)
15 - 1qaz2wsx (new)
16 - dragon (down 7)
17 - master (up 2)
18 - monkey (down 6)
19 - letmein (down 6)
20 - login (new)
21 - princess (new)
22 - qwertyuiop (new)
23 - solo (new)
24 - passw0rd (new)
25 - starwars (new)

Featured Video