Password security company SplashData has released its annual list of the most commonly used passwords on the web, and the picture isn’t pretty.

The number one spot belongs to ‘123456’, which is followed by another maddeningly obvious choice, ‘password’. In fact, these two are stalwarts of the most common passwords, having claimed the first two spots for the fifth year in a row.

The next five places are occupied by some of the easiest-to-remember (and guess) assortments of numbers. The coldness of numbers contrasts with some of the next highly-popular choices – ‘sunshine’, ‘iloveyou’ and ‘princess’, with the first and the third of them representing new additions to the list. Unfortunately, despite oozing oodles of optimism, these passwords don’t inspire much confidence in that the netizens using them cultivate some of the most fundamental cyber-hygiene habits. Also new among the top 25 are ‘666666’, ‘charlie’, and ‘donald’, among others.

Rank Password Change from 2017
1 123456 Unchanged
2 password Unchanged
3 123456789 Up 3
4 12345678 Down 1
5 12345 Unchanged
6 111111 New
7 1234567 Up 1
8 sunshine New
9 qwerty Down 5
10 iloveyou Unchanged
11 princess New
12 admin Down 1
13 welcome Down 1
14 666666 New
15 abc123 Unchanged
16 football Down 7
17 123123 Unchanged
18 monkey Down 5
19 654321 New
20 !@#$%^&* New
21 charlie New
22 aa123456 New
23 donald New
24 password1 New
25 qwerty123 New

Source: SplashData’s Top 100 Worst Passwords of 2018

SplashData estimates that no fewer than 10 percent of people “have used at least one of the 25 worst passwords on this year’s list”. In addition, almost 3 percent of people are estimated to have used the most common poor password, ‘123456’.

A cursory look at SplashData’s extended list of the 100 most common passwords shows that almost all of them are short numerical strings or keyboard patterns, first names or words that appear in any English dictionary, and sports or pop culture references. This year’s edition of the ranking is based on more than five million passwords leaked by computer users mostly in North America and Western Europe.

RELATED READING: 5 common password mistakes you should avoid

It goes without saying that if your password made it among those most common password choices, you would be very well advised to change it. A video and several articles with tips for coming up with far more secure passwords are below.

No matter how stubborn, however, a password is still only a single barrier between your account and a hacker. This is why it’s worth enabling an extra layer of security by adding an extra authentication factor, particularly for accounts that contain Personally Identifiable Information (PII) or other important data.

Suggestions for further reading:

How to create strong passwords (without driving yourself mad)

Bad password choices: don't miss the point

No more pointless password requirements

Forget about passwords: You need a passphrase!

Recycling is a must, but why would you reuse your password?

Authentication 101