'123456' and 'password' Are Still the Worst Passwords You Can Possibly Use

SplashData have put together their annual list of the worst passwords of 2017. They analyzed more than 5 million leaked passwords and published the 100 most common ones. Take a good look at the list and make sure that none of your passwords appear there.
A closer inspection of the Top 25 reveals that not much has changed since last year. Here's the list:
- - 123456
- - password
- - 12345678
- - qwerty
- - 12345
- - 123456789
- - letmein
- - 1234567
- - football
- - iloveyou
- - admin
- - welcome
- - monkey
- - login
- - abc123
- - starwars
- - 123123
- - dragon
- - passw0rd
- - master
- - hello
- - freedom
- - whatever
- - qazwsx
- - trustno1
"123456" and "password" are hanging on to the first two places for the fourth consecutive year. Top 3 is completed by "12345678", which goes to show that strict rules on password creation don't really work as intended (more on that in a minute). The rest of the passwords are just as dreadful as they were last year.
Entries like "trustno1", "letmein", "123123", and "hello" have replaced other, equally bad ones that were present in 2016's list like "121212", "zaq1zaq1", "sunshine", and "flower". At the same time, "admin" has climbed four places in twelve months, which suggests that people can't be bothered to change the default password on some devices (or they just take it and use it elsewhere). In at number 16 is "starwars" which was clearly inspired by the release of the latest episode of the legendary saga, so before you do anything else, head over to Google and see which are the most anticipated movie titles of 2018. Then, make sure you don't use them as your passwords.
All in all, the list above shows that people have a shocking disregard for passwords and their purpose. And the reason is clear: passwords are a nuisance.
For years, we were told that good passwords needed to be complicated and changed on a regular basis. That's a lot of effort, and as you can see, the advice hasn't really taken Internet's population very far. Even the experts from UK's National Cyber Security Centre admit that they sometimes struggle with staying on top of their passwords, and it's blatantly clear that requirements for special characters, numbers, etc. don't result in stronger passwords. In some cases, they actually backfire. Which is probably why, there's been a shift in the mood for some years now.
In 2011, xkcd published a webcomic that has since gone viral. According to Randall Munroe, its author, traditional techniques like taking a word and swapping a few characters for some special symbols (e.g., "a" for "@") make the password harder to remember and easier to crack than long passphrases that just consist of several words stitched together. Although Bruce Schneier, a cryptographer and one of the most widely acknowledged specialists in the cybersecurity world, said that password cracking tools have caught up, in 2017, the US National Institute of Standards and Technology (NIST) revised its password guidelines and said that users should be encouraged to use passphrases instead of convoluted strings of special characters. In addition to this, NIST advised that forcing people to change passwords regularly does more harm than good.
If they're widely adopted, these guidelines will certainly take some of the burden away. Nevertheless, without any additional assistance, people will still struggle to manage all their passwords and make them strong enough without reusing them. We have dozens of online accounts, and our brains simply can't keep track of that many passwords.
That's why, security eggheads, Schneier included, say that your best bet is to use a password management application. And they have some solid reasons to do that.
For one, most password managers come with password generators which create strong, impossible to guess passwords. Users can finally create truly secure passwords without having to think about how many symbols or numbers they're using. They can also have different passwords for different accounts which means that if one of the services they're using gets compromised, the rest of their accounts will remain intact. Best of all, all their passwords will be stored in an encrypted vault, and they can feel free to forget them.
When it comes to the security of your accounts, using a password manager is a "two birds with one stone" shot. You can create unique, strong passwords that can't be cracked. You also don't need to bother remembering them.