Numeric combination of '123456' was the most common password of 2016, followed by '123456789' and 'qwerty', according to researchers who reviewed over 10 million security codes that became public following data breaches.
The study also found that four of the top 10 passwords on the list are six characters or shorter. Passwords '12345678', '111111', '1234567890', '1234567', 'password', '123123', '987654321' were among the top ten list.
"This is stunning in light of the fact that, as we have reported, today's brute-force cracking software and hardware can unscramble those passwords in seconds," according to the US-based password management company Keeper Security .
"Website operators that permit such flimsy protection are either reckless or lazy," the company said.
"Nearly 17 percent of users are safeguarding their accounts with '123456'. What really perplexed us is that so many website operators are not enforcing password security best practices," it said.
The study found that the list of most-frequently used passwords has changed little over the past few years, which means that user education has limits.
While it is important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them, the company said.
The presence of passwords like '1q2w3e4r' and '123qwe' indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak.
Dictionary-based password crackers know how to look for sequential key variations. At best, it sets them back only a few seconds. Email providers do not appear to be working all that hard to prevent the use of their services for spam, they added.