123456. Believe it or not, this was the most common password used in 2018!  It doesn’t get much better from there either – number 2 in the list is the word “password”.   I’ve personally seen this used a number of times.

The top 25 list was recently revealed by SplashData who publishes an annual report listing the most common passwords from each year.   From year to year, there are common passwords in the list, however there are new passwords entering and leaving the top 25.  For example, in 2018, the password “donald” joined the list at position 23.

Here is the list for 2018, showing which passwords are new and which have changed position:


1. 123456 (Unchanged)

2. password (Unchanged)

3. 123456789 (Up 3)

4. 12345678 (Down 1)

5. 12345 (Unchanged)

6. 111111 (New)

7. 1234567 (Up 1)

8. sunshine (New)

9. qwerty (Down 5)

10. iloveyou (Unchanged)

11. princess (New)

12. admin (Down 1)

13. welcome (Down 1)

14. 666666 (New)

15. abc123 (Unchanged)

16. football (Down 7)

17. 123123 (Unchanged)

18. monkey (Down 5)

19. 654321 (New)

20. !@#$%^&* (New)

21. charlie (New)

22. aa123456 (New)

23. donald (New)

24. password1 (New)

25. qwerty123 (New)



Number 20 looks secure doesn’t it – but then look at the top row of your keyboard, left to right as the “shift” key is pressed…

If you’re using any of the above passwords, I’d recommend that you change them as soon as possible!

So how does SplashData know that people are using these passwords?  When businesses are hacked and lose customer information, sometimes this includes passwords.   These username/password combinations are usually sold on for criminal use, and often end up publicly available.   SplashData then analyses this data to determine which are the most commonly used passwords.

You can check to see if your information is contained in any of this stolen data using a tool on my website:


If you enter your email address it will warn you if your personal information has been previously stolen through a hacked business.

A complex password is only any good if you don’t use it on multiple sites.   You can have the most complex password in the world, but if you use it on different websites and one of those websites gets hacked, then your password may as well be 123456.

Take for example the recent hack at Marriott.   If you didn’t already know, Marriott recently merged with Starwood (Sheraton/Westin etc).   Unbeknownst to either Marriott or Starwood, hackers had already infiltrated Starwood’s booking system.   The hackers had stolen personal details on over half a billion Starwood customers!  Now the passwords that were stolen were encrypted, so that’s good, however Marriott aren’t 100% sure that the hackers didn’t also steal the decryption keys!

So, if you had a Starwood account, and you used the same password with them as you did on other sites, I’d suggest that you get busy and change them all to unique, complex passwords!

What’s interesting about this particular hack (other than the sheer scale of it) is that the stolen details haven’t appeared on the black market yet.   It’s suspected that this particular hack was actually organised by Chinese government in an attempt to disclose details on other government operatives and also Chinese citizens.   We’ll probably learn more over time about this as details start to leak.

Until next time, head on over to the hack check tool on my website, and start using different passwords (and complex ones) on each account that you sign up for.