The worst passwords of 2019: They're so weak even a novice hacker could crack them

Cybercriminals have upped their game in recent years, and it’s time you did, too.
Cropped Hands Of Woman Using Laptop Over Colored Background
The best way to create truly random passwords that are harder to crack is to download a password manager app.Jurgita Vaicikeviciene / Getty Images
Get the Better newsletter.
SUBSCRIBE
By Herb Weisbaum

It doesn’t make any sense. We worry about criminals breaking into our digital accounts, and yet we make it easy for them to do it by using appallingly poor passwords.

Just look at the Worst Passwords for 2019 from SplashData (a company that sells secure password managers). Do you use any of the ones on the Top 10 list?

  1. 123456 (same as last year)

  2. 123456789 (longer, but no more secure)

  3. qwerty

  4. password (No. 2 in 2018)

  5. 1234567

  6. 12345678

  7. 12345

  8. Iloveyou

  9. 111111

  10. 123123

Other weak passwords making the top 25 list include: admin, welcome, 654321 and 55555. All of these are lousy passwords because even a novice hacker could easily crack them.

SplashData generates the worst passwords list by analyzing more than 5 million leaked passwords to see which ones are most commonly shared by online criminals.

“People want to use passwords that are simple and easy to remember, and I get that — we want convenience,” said Morgan Slain, SplashData’s CEO. “But they’re really insecure, especially if you use them over and over again on different accounts.”

SplashData estimates that almost 10 percent of all computer users have at least one of the 25 worst passwords on this year’s list and nearly 3 percent use the worst one, 123456.

“It’s a little bit sad and frightening, given that we're seeing so many hacks,” Slain told NBC News BETTER. “Hackers will try the most common passwords first whenever they’re trying to breach an account, so people [using them] are putting themselves at much higher risk of having their identity stolen.”

THE POTENTIAL FOR A CASCADING FAILURE

The potential for serious trouble goes up dramatically if you use the same weak password on more than one account. If just one account is compromised, all of them are at risk. Brett Johnson, a former identity thief who is now a digital security consultant, says about 80 percent of people with online passwords use the same one for multiple websites.

“Criminals know that and take advantage of it,” Johnson told NBC News BETTER. “All they need to do is get the password for one website and they have access to every single one you use … your bank account, credit card, maybe tax return, everything across the board.”

If such a cascading failure happens, it can take weeks, months or longer to recover your digital identity.

BUILDING A BETTER PASSWORD

Today’s cybercriminals, armed with the latest technology, are able to launch what are called brute force attacks. They use automated programs that can guess millions of password combinations per second.

Anything a human can remember is easily cracked by these algorithms which aren’t fooled by common tricks, such as replacing 0 with O or a with @.

So, how do you protect your online accounts? Digital security experts contacted by NBC News BETTER shared this advice:

1. CREATE STRONG PASSWORDS

The rules vary on the definition of strong. Some experts say a password should be 12 — 20 characters long. Others suggest a series of random words. They all agree that common phrases, song or movie titles, sports teams, your birthday or your dog’s name won’t cut it.

The best way to create truly random passwords that are harder to crack is to download a password manager app, such as Dashlane, LastPass or KeePass and let it create them for you. (More on password managers below.)

You can use a password checker to see if you’ve chosen a good password. For example, NordPass shows that the password “987654321” has been exposed 594,495 times and My1Login estimated that it could be cracked in 0.01 seconds.

2. CREATE UNIQUE PASSWORDS FOR YOUR MOST IMPORTANT ACCOUNTS

Many of us have dozens of online accounts. While the goal is to have a strong and unique password for every one of them, most people simply won’t do that.

It’s critical to have a unique password — one that’s really strong — on your most sensitive accounts: financial, social media and email. According to Chester Wisniewski, principal research scientist at Sophos (a digital security company), your email accounts are the most critical ones to protect.

“Your financial accounts are very, very important — a close number two — but in so many cases, you can unlock those financial accounts simply by doing a password reset to your email,” Wisniewski said. “Your email account unlocks every other account you own when you hit the password reset button.”

3. CONSIDER USING A PASSWORD MANAGER

You need a way to remember all of those strong passwords — a long string of random letters, numbers and characters — you create.

For someone who only has a few online accounts and is not technically savvy, writing down their passwords and putting that list in a safe place, might be the only option. If you are technically savvy, a password manager that generates unique passwords and then remembers them on all of your devices, makes sense.

With a password manager, you only have to remember one really complex password — the key to that program — that you guard vigorously and never share with anyone.

Last month, PC Mag evaluated two dozen of the best password managers to help you choose. Some of these companies let you test drive free versions of their product. Apple and Google have password managers built into their operating systems.

4. MULTI-FACTOR AUTHENTICATION IS NOW A BEST PRACTICE

Cybercriminals have upped their game in recent years, and it’s time you did, too. You can make it harder for the bad guys to break into your accounts by using two-factor authentication (2FA) or multi-factor authentication (MFA) at any website that offers these extra levels of security.

Once 2FA or MFA is enabled, it takes more than a password to access that account. You will also need another credential that verifies your identity — something biometric (such as a fingerprint or facial recognition), something physical (such as a smartcard or token) or a code sent to via email, phone or app.

Alexander Weiner, director of identity security at Microsoft, says using MFA whenever possible is “the easiest and most effective step you can take” to protect your online accounts.

“The weakest password plus MFA is stronger than the strongest password,” Weiner told NBC News BETTER. “If you get phished, if you get malware, such as a keystroke logger or any number of other mechanisms that can result in you disclosing your password, then it doesn't matter what your password is. It's that second factor that's actually helping you.”

Multi-factor authentication isn’t foolproof, but Microsoft’s statistics show that regardless of the password, MFA correlates with a 99 percent reduction in the rate of compromise.

THE BOTTOM LINE

“You are going to be attacked,” warns former cyberthief Johnson. “It’s not a question of if, but when. And if you’re using an insecure, or easy-to-guess, password, you will become a victim.”

NEXT: Use payment apps like Venmo, Zelle and CashApp? Here's how to protect yourself from scammers

Want more tips like these? NBC News BETTER is obsessed with finding easier, healthier and smarter ways to live. Sign up for our newsletter and follow us on Facebook, Twitter and Instagram.