For those of us who are old enough to remember Mr. Blackstone’s Best and Worst Dressed Lists coming out around media-awards season, the concept of the 10 Best or 10 Worst of anything is old hat. ESPN used that for its top sports-plays segment for years, and we asked to rank the top 10 of everything – craft beers, locally-sourced, lightly killed burger pavilions, handyman services, you name it.

However, one place where this kind of list-building can really have an effect on your cybersecurity is to pay attention to the people that track commonly used – or, in many cases, stupidly used – passwords. There are many such lists, but TeamsID’s list[i] ranks the top 100 worst. In many cases, this list is similar to those published every year by the Wall Street Journal.[ii] Why is it similar? Because people can get lazy and systems haven’t been changed specifically to eliminate this behavior.

So, here’s a tip for all you system folk out there. Please, whatever you do, disable the following passwords in your systems:

  • password
  • Password
  • passw0rd
  • 123456
  • 1234567
  • 12345678
  • qwerty
  • princess
  • 111111
  • sunshine
  • letmein
  • admin
  • iloveyou
  • football
  • All of the above variants with a “1” or a “!” or both added at the end

Although everyone can’t agree on whether passwords are dead or dying, whether multi-factor authentication is the way to go, whether pass-phrases are better than passwords, and similar arguments, I hope everyone can agree that these password selection and retention behaviors are dangerous. Remember, the criminals read the same papers we do.

Happy New Year!

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology. Reach him at 404-459-2526 or barry.herrin@herrinhealthlaw.com.


[i] https://www.teamsid.com/100-worst-passwords-top-50/

[ii] https://www.wsj.com/articles/2018-in-the-numbers-caffeine-fixes-asylum-seekers-and-bad-passwords-again-11545393601?mod=searchresults&page=1&pos=8