Last year, research firm Splash Data released its list of the worst passwords in 2014. All-time greats such as “123456” and “password” topped the charts, while new additions “batman” and “superman” showed just how little password hacks had impacted user preferences.

2015’s list has just been released, and guess what? The two most popular are back on top again — in fact, they remain unchanged since 2011, as reported by CSO Online.

So here’s the question: Why are users missing the message? More importantly, what’s the next step? How do companies make passwords past tense?

This Is a Joke, Right?

Nope. Consider awful password No. 6: “123456789”. Obviously a response to sites that demand more characters for greater security, this little gem is basically serving up access on a silver platter. There are also some new additions to the list: For example, “princess” sits at No. 21, “solo” at No. 23 and — wait for it — “starwars” rounds things out at No. 25.

Sure, they’re easy to remember and have fun little movie references, but these passwords aren’t really what security pros had in mind for a strong passphrase. If cybercriminals can nab login credentials in five guesses or less based on prevailing pop culture, something’s gone wrong in the password selection process.

As noted by SecurityWeek, users are trying to add some randomness and throw off attackers. Passwords like “1qaz2wsx” and “qwertyuiop” look good at first glance, but it doens’t take long to see the problem: The former is the first two columns of main keys on any standard U.S. keyboard while the latter is just the top row. SplashData put it simply: These are “simple patterns that would be easily guessable by hackers.”

Pushing Back on Password Hacks

In the last year big retailers and popular social sites have been hacked, with attackers often going after poorly hashed databases of account names and passwords. But a consistent pattern of poor password-picking means that in most cases, cybercriminals don’t need to bother — running the list of popular passwords is faster, easier and often more successful. With companies aware of this fact, sites trying to beef up security and users at risk of losing personal and financial data, why are terrible passwords still the norm rather than the exception?

Simply put: password fatigue. As noted by TechCrunch, the average user must remember more than 25 passwords to access the social media, e-commerce and company apps they use on a daily basis. Crafting a clever password for each is not only time-consuming, but invariably leads to confusion.

So when corporate IT implements a new password policy, users look for the easiest way out. Maybe it’s a string of repeating characters, a common sequence or popular phrase; whatever it takes to simplify access and effectively spite admins for making passwords even more complicated. It’s a big picture/little picture scenario: The prospect of what might happen because of password hacks isn’t enough to ease the frustration of what will happen every time users can’t remember the last password on their list.

Alternate Options

It’s not all bad news. Sure, the list of poor passwords is frightening, but it’s also a sign: Passwords are passé, and companies are now actively looking for alternatives. For example, Google is testing a service that lets users approve logins through their mobile devices and eliminates the need for passwords entirely, while companies like PayPal are backing biometric identification.

The TechCrunch piece, meanwhile, imagined a future where devices are the center of an intelligent authentication scheme: Depending on user location, access method and the type of service being requested, authentication requirements scale up or down to ensure maximum security.

Password hacks are still happening, and they’ll keep happening because users will always find ways around complex login rules to make their digital lives less complicated. 2015’s poor password list is a wake-up call: It’s time to embrace a device-driven future and make passwords past tense.

more from