No matter how much we read about hacks and data breaches and the importance of taking solid security precautions, one of the unchangeable truths of the world is that people on average are absolutely terrible when it comes to choosing passwords. We use the same ones over and over, to the delight of hackers, and the ones we come up with tend to be pathetically easy so that we’re able to remember them.

SplashData is out with its eighth annual compilation of the Worst Passwords of the Year, a ranking it produces after evaluating more than 5 million passwords that have been leaked on the Internet. If you use any of these, we can’t stress this enough. As SplashData puts it themselves, anyone using any of these passwords is putting themselves “at substantial risk of being hacked and having their identities stolen.”

A few notes about this list: 2018 was the fifth straight year that saw these passwords in the Number 1 and 2 spots for being the absolute worst: “123456,” and “password.” The five worst passwords after those 2? They’re all just numerical strings.

SplashData is a provider of password management applications TeamsID, Gpass, and SplashID. “Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” says SplashData CEO Morgan Slain. “It’s a real head-scratcher that with all the risks known, and with so many highly publicized hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year.”

Without further ado, here’s SplashData’s “Worst Passwords of 2018” list:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou
  11. princess
  12. admin
  13. welcome
  14. 666666
  15. abc123
  16. football
  17. 123123
  18. monkey
  19. 654321
  20. !@#$%^&*
  21. charlie
  22. aa123456
  23. donald
  24. password1
  25. qwerty123

SplashData estimates almost 10% of people have used at least one of these 25 passwords and that some 3% of people have used the worst password, 123456.

Here are some tips from SplashData on how to be better at password security:

1. Use passphrases of twelve characters or more with mixed types of characters.
2. Use a different password for each of your logins. That way, if a hacker gets access to one of your passwords, they will not be able to use it to access other sites.
3. Protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.