Go change your password already!

The “100 Worst Passwords of the Year” were just released for 2017, and the top two weakest logins are the same as last year’s.

People are still banking their online security with “123456” and “password,” according to SplashData’s annual report, which drew data from 5 million users’ leaked passwords in North America and Western Europe over the past year.

The top 20 worst passwords are:

  • 123456
  • password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou
  • admin
  • welcome
  • monkey
  • login
  • abc123
  • starwars
  • 123123
  • dragon
  • passw0rd
  • master

And honorable mentions go to “whatever” (#23), “trustno1 (#25), “blahblah” (#47) and “biteme” (#91.)

Cybersecurity is an ever bigger threat. In October, Yahoo announced that three billion accounts were hacked in the massive 2013 breach, which is every account that existed at that time, including email, Tumblr, Fantasy and Flickr. Previously, the company had said that about one billion of its accounts were impacted. Everything from names to certain passwords to phone numbers and email addresses could have been compromised.

And this is just the latest in a series of hacks — a recurring problem that underscores how important strong passwords are to protecting your personal information. Luckily, there’s a new tool that can show you how strong your current password is.

Researchers from Carnegie Mellon University and the University of Chicago released a state-of-the-art password meter that gives you instant feedback on how strong your password is, before advising on how you can make it even stronger.

The team created an artificial intelligence neural network that “learns” by scanning millions of existing passwords, and identifying trends we tend to follow in creating our word keys. If the meter flags a trait in your password that it knows hackers can easily guess, it will give you tangible tips on how to change it.

The study and the password tool were presented at the CHI 2017 conference in Denver, and a demo of the meter can be tried here.

This Moneyish reporter plugged in a couple of her favorite passwords into the meter, which some other sites have rated pretty strong in the past. Not this one. The new tool slapped the password for containing a date and using a word that could be found on Wikipedia. It also suggested capitalizing a random letter in the middle of the word, and moving symbols and digits to different parts of the word. Consider it changed.

“Instead of just having a meter say, ‘Your password is bad,’ we thought it would be useful for the meter to say, ‘Here’s why it’s bad and here’s how you could do better,'” said Carnegie Mellon professor Nicolas Christin, a co-author of the study in a statement.

Many of us are still clueless about locking down our logins. In fact, 15.4 million Americans were hacked last year because of weak passwords or clicking on links that spread computer viruses, according to Javelin Strategy and Research.

And earlier this year, 1 billion Gmail users were attacked by a sophisticated phishing scam that sent fake Google Docs to users which, if opened, granted access to managing their emails and their contacts. (If you clicked it, take these five steps immediately.)

Security experts suggested changing your password and activating a two-step authentication process to protect yourself – but if you’re using the same passwords across different sites, or tapping the same tricks everyone uses (swapping your O’s for zeroes, anyone?), you’re not making your digital identity any safer.

For example, the team behind the new password meter found that one of 2016’s most popular passwords was “qwertyuiop,” or simply the top row of letters on your keyboard. It’s the alphabet equivalent of picking “1-2-3-4,” and a no-brainer for seasoned hackers to figure out.

“The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords,” said Blase Ur, a lead author on the study behind the new password meter. “If you change Es to 3s in your password, that’s not going to fool an attacker. The meter will explain about how prevalent that substitution is and offer advice on what to do instead.”

This article was originally posted in May 2017, and has been updated with the 2017 Worst Passwords report.