Think you’re protected from web attacks with your strong passwords? When hackers seize control of computers to create botnets, they can cause plenty of collateral damage, and their ticket in is often stupid-simple: terrible passwords. SplashData has just released its annual list of the worst of them — gleaned from hacked file dumps — and things have changed depressingly little over last year. The most commonly hacked password is still “123456,” which edged out the perennial I-can’t-believe-people-still-use-this entry, “password.” Other top picks in the an alphanumeric hall of shame are “12345678,” “qwerty,” “monkey” and new this year, “batman.” According to security expert Mark Burnett, the top 25 passwords (below) represent an eye-popping 2.2 percent of passwords exposed.

The good news is that fewer people are using bad passwords than in 2013, perhaps thanks to some well-publicized data breaches at Sony, Target and elsewhere. SplashData reminds folks to create passwords with eight, mixed characters not based on easy-to-brute-force dictionary words — even with substitutions like “dr@mat1c.” As pointed out by Buffer Open, other methods include pass phrases, mnemonic devices and other memory tricks — including a gem from XKCD. Since you shouldn’t use the same password on more than one site, it’s also a good idea to use one of the many password managers out there, like LastPass or SplashID. Those let you access your entire collection of passwords with just a single passphrase — one that had better be a lot stronger than “123456.”