According to a study published in December by SplashData of the more than 5 million passwords compromised by hacks last year, way too many were laughably inadequate.

If you are having that same-old, same-old sense of déjà vu, you’re not alone. Another year has come and gone, and consumers are still using the same old bad passwords to protect their accounts.

How bad? Here’s the top 25:

1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou
11. princess
12. admin
13. welcome
14. 666666
15. abc123
16. football
17. 123123
18. monkey
19. 654321
20. !@#$%^*
21. charlie
22. aa123456
23. donald
24. password1
25. qwerty123​

Why It Matters

Hackers are out there in force, and they are looking for smash-and-grab opportunities. One easy way to see if you should be more careful is a quick visit to Haveibeenpwned.com. Credential stuffers use this kind of purloined login information to access other sites that use the same credentials, which is why it is essential at the very least to use unique passwords to protect ultrasensitive information, such as financial accounts and medical records.

While remediation for such incursions exists, you can count on losing several hours, if not days, to the process of regaining and securing your cyber defenses, not to mention the unbudgeted time you’ll need to drop everything and learn how to manage and maintain that security.

Despite repeated predictions of its demise as a security protocol, the use of passwords to protect accounts isn’t going anywhere any time soon. Start 2019 off on a cyber-secure footing by following these simple rules to protect yourself and your information:

  1. Don’t use personal information in your password: In the age of social media, it’s easier than ever to find out detailed information about you. Avoid using the names of your children, pets, spouse, street address, or anything else that can be guessed by a cursory glance at your Facebook profile.
  2. Make it memorable, but not simple: If you have to reset your password each time you log into an account, you’re not only wasting time, you’re exposing yourself to account hijacking. A notification that someone accessed your account and changed your password becomes a lot less likely to stand out if you’re also constantly resetting it. Save yourself a hassle and use a long and strong password you’re able to remember.
  3. Use longer passwords mixed with letters and numbers and symbols: Brute force attacks on passwords often rely on running possible combinations of numbers and letters until they come across the right one. A hacker can run millions of possible passwords in less than a second, meaning that a short password consisting of just letters is easy prey. Each additional character you add to your password exponentially increases the difficulty of cracking it.
  4. Don’t re-use your passwords: Using the same password on multiple accounts is the equivalent of giving hackers a skeleton key to your identity: if one account is compromised, it’s a safe bet every other one with that password is as well.
  5. Use Two-Factor Authentication: While linking your account logins to a mobile phone isn’t infallible, it does give you an extra bit of protection in case your password is compromised. Be sure to activate Two-Factor Authentication on any account containing sensitive information.
  6. Strategize Your Password Manager: While there is no need to single anyone out here, password managers get hacked, too, and when they do, you can bet the information is deployed quickly. A manager can be great for basic passwords, but bear in mind you will need to disable two-factor authentication for the automated ones to do their thing. For your most sensitive accounts, it’s fine to use a password generator to create your masterpiece of uncrackability, but don’t store it where it can be hacked. An encrypted thumb drive that is password protected or equipped with a biometric stopgap is a best bet. Just make sure that you have a hard copy somewhere safe (like in a safe).

Maintaining a number of hard-to-guess passwords may be daunting, but it’s also a key piece of data hygiene. Following a few basic rules will help keep your data safe and your identity better protected in 2019 and beyond. If you want to go pro, you should. What do you have to lose? If your passwords are subpar, you’re not the only one who knows the answer.