These are the latest world's worst passwords — don't use any of them

We have sad news: The world's most-often used password is still "123456." 

This depressing statistic comes as a result of a study by Turkish researcher Ata Hakçıl, who analyzed more than 742 million passwords revealed in numerous data breaches over the past several years and posted his results on GitHub. Among those passwords, "123456" appears 5.3 million times, or in out of every 138 entries.

• The best password managers to keep your online accounts safe
• Look out, online gamers: Hackers want your passwords
• New: I ditched Android for iPhone SE for a month —pros and cons

Of the 742 million entries, there were only 169 million unique passwords, which gives you an idea of how frequently we use obvious passwords. The most common 1,000 passwords were 6.6% of the total, and less that 9% of the passwords were found only once.

There was a little good news: The average length of the passwords was 9.48 characters, which means that all the nagging about creating longer passwords is paying off. 

By contrast, the median (if not mean) length in the famous RockYou data breach of 2009 was about 7 characters. (Hakçıl chose not to include the 32 million RockYou entries because they've been so widely studied.) 

UPDATE: We played with the RockYou statistics in this report from Imperva and came up with an average RockYou password length of roughly 7.41 characters.

Same old song

But that's still far outweighed by the bad news. The RockYou database's most-used password is also "123456." In fact, of the top 20 old RockYou passwords, entered between 2005 and 2009, seven are also in Hakçıl's brand-new Top 20 list: 123456, 12345, 123456789, iloveyou, 1234567, 12345678 and abc123. 

Two others came close but not quite, with "Password" and "Qwerty" appearing in the RockYou Top 20, but "password" and "qwerty" in Hakçıl's Top 20. (We're not sure why that occurred, but RockYou may have required the inclusion of upper-case letters at some point.) 

Only 12% of the passwords Hakçıl examined contained "special" characters, such as punctuation marks, that are found on common QWERTY keyboards but are not letters or numbers: ? < , > & ^ and so on. Including such characters goes a long way to beefing up a password's strength against password crackers.

By contrast, nearly 29% of the passwords were compromised of letters only, and more than 26% of the total were lowercase only. More than 13% consisted of only digits. 

In an indication of how people form passwords, more that 34% of passwords that mixed letters and numbers ended with the numbers — e.g. "qwerty123" — but only 4.5% started with the numbers.

Mystery pattern in the data

Hakçıl did find one surprising thing -- some 763,000 10-character passwords of gibberish that nevertheless followed a predictable pattern. 

"They all start and end with uppercase characters," Hakçıl wrote. "None of them seem to have a keyboard pattern or meaningful word in them" and "they don't contain special characters."

Even though the passwords appeared to be machine-generated, several of them appeared to have been reused, possibly indicating a flaw in a password-generation algorithm.

"I have no idea what this uncovers and what it implies, but I'm suspecting a password manager out there is creating passwords with low entropy, causing repetitions over a lot of users," Hakçıl wrote. "All the ideas about this are welcome and appreciated."

Hakçıl started with about 1 billion pairs of credentials (passwords and usernames), but had to toss out more than 257 million pairs for being either unreadable or obviously test accounts. 

How to create and manage passwords

To make sure to limit the extent of a data breach upon your account security, make sure that all of your passwords are long, strong and unique. 

Length is currently the most important factor, as a 20-character password of random lowercase letters has less chance of being "cracked" than a 12-character password made up of lowercase and uppercase letters, digits and punctuation marks and other special characters.

But ideally, you'd want a long password of at least 15 characters made of absolute gibberish containing all four types of characters found on a common QWERTY computer keyboard. 

To create and remember such passwords, and to make sure none of them is repeated, there's no better solution that to use one of the best password managers.

The 100 worst passwords of 2020

Here are the 100 most commonly passwords, according to Hakçıl's analysis. You shouldn't be using any of these for any of your accounts.

1. 123456
2. 123456789
3. password
4. qwerty
5. 12345678
6. 12345
7. 123123
8. 111111
9. 1234
10. 1234567890
11. 1234567
12. abc123
13. 1q2w3e4r5t
14. q1w2e3r4t5y6
15. iloveyou
16. 123
17. 000000
18. 123321
19. 1q2w3e4r
20. qwertyuiop
21. 654321
22. qwerty123
23. 1qaz2wsx3edc
24. password1
25. 1qaz2wsx
26. 666666
27. dragon
28. ashley
29. princess
30. 987654321
31. 123qwe
32. 159753
33. monkey
34. q1w2e3r4
35. zxcvbnm
36. 123123123
37. asdfghjkl
38. pokemon
39. football
40. killer
41. 112233
42. michael
43. shadow
44. 121212
45. daniel
46. asdasd
47. qazwsx
48. 1234qwer
49. superman
50. 123456a
51. azerty
52. qwe123
53. master
54. 7777777
55. sunshine
56. N0=Acc3ss
57. 1q2w3e
58. abcd1234
59. 1234561
60. computer
61. f***you [censored -- the missing letters rhyme with "duck"]
62. aaaaaa
63. 555555
64. asdfgh
65. asd123
66. baseball
67. 0123456789
68. charlie
69. 123654
70. qwer1234
71. naruto
72. a123456
73. jessica
74. soccer
75. jordan
76. liverpool
77. thomas
78. lol123
79. michelle
80. 123abc
81. nicole
82. 11111111
83. starwars
84. samsung
85. 1111
86. secret
87. joshua
88. 123456789a
89. andrew
90. 222222
91. q1w2e3r4t5
92. 147258369
93. hunter
94. Password
95. qazwsxedc
96. lovely
97. 999999
98. jennifer
99. letmein
100. tigger