Go change your password already!

Too many people are still banking their online security with “123456” and “password,” according to SplashData’s 2017 “100 Worst Passwords of the Year” report, which drew data from 5 million users’ leaked passwords in North America and Western Europe over the past year.

And the series of repeated personal information leaks being reported by apps and online retailers is a sobering reminder that cybersecurity is an ever bigger threat.

MyFitnessPal users are the latest victims, with parent company Under Armour revealing on Thursday night that a security breach has affected 150 million users. “An unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” the company wrote in a release.

While the leaked data doesn’t include either government-issued personal information such as Social Security and driver’s license numbers (as those are not collected by the company) or payment information (because that is collected and processed separately), be warned that email addresses, usernames and passwords were exposed. So if you use those logins, passwords and emails for signing into other apps, or for shopping, banking and credit card sites, your money and personal data can still be at risk.

MyFitnessPal notified users in an email that: They will be requiring everyone to change their passwords; they are coordinating with law enforcement and continuing to monitor suspicious activity; and they are going to update their systems to prevent this from happening again. The app also recommended that users:

  • Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

And in picking new passwords, avoid these top 20 worst offenders from SplashData’s list:


  • 123456
  • password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou
  • admin
  • welcome
  • monkey
  • login
  • abc123
  • starwars
  • 123123
  • dragon
  • passw0rd
  • master

Honorable mentions go to “whatever” (#23), “trustno1 (#25), “blahblah” (#47) and “biteme” (#91.)

And this is just the latest in a series of hacks — a recurring problem that underscores how important strong passwords are to protecting your personal information. In October 2017, Yahoo announced that three billion accounts were hacked in the massive 2013 breach, which is every account that existed at that time, including email, Tumblr, Fantasy and Flickr. Equifax, one of the three major credit reporting agencies in the U.S., revealed last year that the Social Security numbers, birth dates, addresses, driver’s license numbers and credit card information of potentially 143 million U.S. consumers may have been accessed by cybercriminals. And 1 billion Gmail users were attacked by a sophisticated phishing scam last year that sent fake Google Docs to users which, if opened, granted access to managing their emails and their contacts. (If you clicked it, take these five steps immediately.)

Also read: Here’s how to protect yourself from the Equifax data breach

Luckily, there’s a tool that can show you how strong your current password is. Researchers from Carnegie Mellon University and the University of Chicago released a state-of-the-art password meter that gives you instant feedback on how strong your password is, before advising on how you can make it even stronger.

The study and the password tool were presented at the CHI 2017 conference in Denver, and a demo of the meter can be tried here.

“Instead of just having a meter say, ‘Your password is bad,’ we thought it would be useful for the meter to say, ‘Here’s why it’s bad and here’s how you could do better,'” said Carnegie Mellon professor Nicolas Christin, a co-author of the study in a statement.

Many of us are still clueless about locking down our logins. In fact, 15.4 million Americans were hacked last year because of weak passwords or clicking on links that spread computer viruses, according to Javelin Strategy and Research.

Security experts suggest changing your password and activating a two-step authentication process to protect yourself – but if you’re using the same passwords across different sites, or tapping the same tricks everyone uses (swapping your O’s for zeroes, anyone?), you’re not making your digital identity any safer.

“The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords,” said Blase Ur, a lead author on the study behind the new password meter. “If you change Es to 3s in your password, that’s not going to fool an attacker. The meter will explain about how prevalent that substitution is and offer advice on what to do instead.”

If you suspect your financial data may have been compromised, it’s important to check all of your financial accounts and keep an eye out for suspicious activity; if you see something, report it immediately. You should also check your credit report (you get a free one from each of the three credit reporting agencies each year) and place fraud alerts on them. Click here for more security tips.

This article was originally posted in 2017, and has been updated.