A look at passwords released by hackers shows that some real losers, like "password," are popular.

Story highlights

Password management firm lists year's 25 worst passwords

Top three on the list: "password," "123456" and "12345678"

"jesus," "monkey" and "ninja" also made the list

Entries came from common passwords posted by hackers

TIME  — 

If any of your passwords are on this list, then shame on you – and go change them now.

SplashData, which makes password management applications, has released its annual “Worst Passwords” list compiled from common passwords that are posted by hackers. The top three – “password,” “123456,” and “12345678″ – have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1,” and “welcome.” Other passwords have moved up and down on the list.

The most surprising addition is probably “welcome.”

“That means people are not even changing default passwords,” CEO Morgan Slain told TIME Tech. “It doesn’t take that much time to make a new password.”

You should have different passwords for all of your accounts. To make it easier to remember them all, Slain suggests thinking about passwords as “passphrases.” For instance, use a phrase like “dog eats bone” and add underscores, dashes, hyphens, and other punctuation marks to satisfy the special character requirement: “dog_eats_bone!”

(MORE: Two Minute Video: How to Create Strong Online Passwords)

Here’s the full list:

1. password

2, 123456

3. 12345678

4. abc123

5. qwerty

6. monkey

7. letmein

8. dragon

9. 111111

10. baseball

11. iloveyou

12. trustno1

13. 1234567

14. sunshine

15. master

16. 123123

17. welcome

18. shadow

19. ashley

20. football

21. jesus

22. michael

23. ninja

24. mustang

25. password1

MORE: The Username/Password System Is Broken: Here Are Some Ideas for Fixing It