Anybody can win the presidency of the United States. But you really know you've broken through when you make it onto the list of the worst passwords people use on the internet.

So Donald Trump can feel justifiably smug that 'donald' just made its official debut on a list of the 100 most commonly used passwords on the internet in 2018. But the rest of us? Well, we shouldn't feel too proud about this.

Why? Because even though people might get a kick out of typing the president's name as a private in-joke with themselves when they log in, they're actually doing themselves a major disservice. According to security experts, the names of famous people are actually one of the most obvious targets for malicious hackers.

"Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to-remember combinations," says CEO Morgan Slain from security software firm SplashData.

Slain's company just released its annual ranking of the worst 100 passwords people used in 2018 – based on an analysis of more than 5 million passwords publicly leaked on the internet – and the results show that people keep making the same password mistakes.

While this year's rundown contains a number of new passwords that haven't made the top list before – including the aforementioned 'donald' (at #23), '654321' (clever! #19), and 'princess' (#11) – it also bears a mind-boggling resemblance to previous years' chart-toppers.

Just like in 2017, the #1 and #2 spots remain held by '123456' and 'password' respectively, while '12345' (#5) and 'iloveyou' (#10) are also in the exact same positions they were last year.

Other usual suspects have moved around a bit in terms of their list positions, but the continued high ranking of frequent offenders like '123456789' (#3), 'qwerty' (#9), and 'admin' (#12) shows people still don't comprehend (or care about) the risks of using these blindingly obvious, common, and oh-so-guessable phrases for online security.

"Our hope by publishing this list each year is to convince people to take steps to protect themselves online," Slain says.

"It's a real head-scratcher that with all the risks known, and with so many highly publicised hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year."

Big security breaches like this happen all the time, and when they hit, those responsible for the attacks can walk away with all sorts of user credentials.

In the worst case scenario, hackers can snare financial information (like credit card details, if the hacked website stored that data), but even lesser attacks can yield substantial amounts of personal data, including names, phone numbers, dates of birth, email addresses, and in some cases, passwords.

A common problem is that even if people don't use terrible passwords like 'password', lots of us are guilty of reusing the same password across multiple sites and services.

People do this because it's convenient and makes things easier to remember, but the risk is that if you get hacked once – and don't immediately change your password everywhere it's used – hackers can use it to get into your other accounts.

There's a simple way to find out if hackers already have your password, but how do you stop them from getting it in the first place?

In addition to never reusing passwords, you should use strong, difficult-to-guess passwords, and avoid the most common mistakes people make when coming up with passwords.

Of course, if you follow all the above advice, you'll likely end up with hundreds of virtually impossible-to-memorise passwords, meaning you'll probably need a password manager to keep track of them.

This might sound like a hassle, but it's actually really easy, and it provides a safe and secure way to manage your various logins (and some password managers are completely free too).

Whatever you do, don't use any of the worst passwords on SplashData's list. Here, in all their infamy, are the top 25 candidates to avoid, and you can find the rest of the worst 100 passwords listed on SplashData's TeamsID website.

  1. 123456
  2. 2 password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou
  11. princess
  12. admin
  13. welcome
  14. 666666
  15. abc123
  16. football
  17. 123123
  18. monkey
  19. 654321
  20. !@#$%^&*
  21. charlie
  22. aa123456
  23. donald
  24. password1
  25. qwerty123