Hey, guess what? Your passwords probably suck. Most of our passwords suck. To be fair, mine don’t. They’re stupid long, are random, and I never repeat them. Maybe you do the same. If so, you can read this piece, gloat, and revel in how much better at security you are than your neighbors. Or skip it altogether.

But for the rest of you? Your passwords probably suck. So—for #&%@’s sake—make your passwords better!

Passwords Still Somehow Sucked in 2016

Keeper Security (makers of Keeper password manager, for context) analyzed some 10 million passwords released in security breaches in 2016. Five million of those passwords are in the image below. Oh, sure, there’re only 25 passwords in this image, but they represent half of all the passwords used. Because most of you suck at passwords. Behold:

Keeper Security's Top 25 Passwords from 2016

Keeper Security’s Top 25 Passwords from 2016


Do you use a password that is on that list? Change it! Seriously, folks. Make your passwords better. Apple’s Safari will generate fairly strong random passwords. So do all of the password managers (my favorite is 1Password). Use these tools. Use a password manager to keep everything straight. Don’t be lazy.

And that one password that somewhat doesn’t suck*—18atcskd2w—but is still somehow in this list? Keeper Security wrote, “According to Security Researcher, Graham Cluley, these accounts were created by bots, perhaps with the intention of posting spam onto the forums.”

OK, makes sense why it’s there. But call me unreassured.

Basic Password Tips for Improving Your Security in 2017

The reality is that if you’re reading this article, you probably have some interest in making your own passwords stronger, or helping those in your family who need that help. Here are some basic tips for better password security that I am shamelessly reusing from an article Jim Tanous wrote for us in 2012:

1.) Every password should have all these things:

  • Uppercase characters
  • Lowercase characters
  • Digits
  • Symbols

2.) Make them long. Safari generates 15-character passwords. Me? I like mine longer. 15 characters is nice. 18 is nicer. 24 characters makes me a little flush, if you know what I mean. Plus, when using a password manager, longer really isn’t much of an issue. Jim Tanous beautifully explained why length matters, so check out that piece if you’re curious.

3.) Never reuse a password, never use the same password on more than one site.

Again, Please Make Your Passwords Stronger

The badguys are getting stronger. This is just a fact. Criminal organizations, miscreants, and foreign govermnents alike are getting better and better at breaking into accounts, and performing the very breaches that yielded the passwords for Keeper Security to analyze.

On the one hand, your stronger password won’t keep companies who get breached from being breached. But, stronger passwords will make it much harder for the bad guys to access your accounts outside of a breach. In addition, by using different passwords, a data breach at one site won’t expose you on other sites.

*It’s nowhere near long enough, there are no capital letters, and no other characters. It still sucks.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

Users aren’t really to blame for bad passwords when they have to remember them. I believe it was Don Norman who described passwords as a “conspiracy against memory.” Usually any password you can remember is, almost by definition, not a good one. There are tricks to remember more obscure and longer passwords, but it’s better to take humans out of the loop to begin with! Safari and iCloud keychain solve the bad password problem somewhat by generating a randomized password that is automatically remembered by keychain so you don’t have to. But why aren’t randomized passwords and client certificates the… Read more »

Scott B in DC

Ok @geoduck and @maxglitz, what do you suggest? What is better than passwords that can be implemented on a wide scale? I deal with large-scale systems on a daily basis. Systems that have to be accessed by a wide variety of people, not just the techno-geeks. No matter the system we use, it’s not going to work. Certificates? Think about how you would teach your least technical family member about how to use certificates. Sorry, that technology has not caught up to the user-friendly stage. Tokens? You go buy everyone tokens. Oh, right… something equivalent, like grid (or Bingo) cards.… Read more »

Lee Dronick

It would help if servers would not allow more than certain number of attempts and attempts on several accounts coming from the same location.


Sooner or later we’re going to have to do better than passwords. They’ve gotten so cumbersome for us out here that it’s ridiculous. Yeah, everyone settles for whatever “the new norm” is, but I’m going to be a squeaky wheel. Sure a password management app is one solution, but it’s getting like packing for traveling with a baby if you use someone else’s computer on a trip when you want to use a BIG screen and not a dinky smart phone. Sometimes a smartphone feels like a toy or a settle-for after years of big easy screens mice and keyboards.… Read more »


I’m noticing a problem similar to the 6-character password problem — a lot of the sites out there allow 15 characters MAXIMUM. Some of the super-long passwords I’ve tried to set in the last two months have either been truncated, without telling me. (thanks to 1Password for noting the actual password the site used!) More worrisome, other websites would refuse to accept a long password for reasons even their tech support couldn’t explain. So, even with a super-long password, one has to stay vigilant. Many of the companies out there aren’t even capable of using current strong password practices. Use… Read more »


Everything you say is true. However isn’t it really time we just admitted that passwords are obsolete? People can’t remember ones that are strong enough to be any good. Things like Password Key et.al. are fine but really they are just making a stronger lance when the enemy is coming at us with tanks. I don’t know what the answer is, but passwords are just obsolete. Even if you have a 24 character password with everything you mention, enough bots can crack it. Social engineering can divulge it. Backdoors and hackers can make it meaningless. It is time, well past… Read more »