For years, security experts have told people they need better passwords protecting their online accounts: no more “123456” or “qwerty” or “password.” Based on SplashData’s fifth annual list of the 25 most common passwords, however, it’s clear that relatively few people are listening to that advice. The firm based its list on more than 2 million leaked passwords during the year. If you see your password on this list, it might be time to consider changing it:

1. 123456 (Unchanged from last year’s list)
2. password (Also unchanged)
3. 12345678 (Up 1 spot from last year)
4. qwerty (Up 1)
5. 12345 (Down 2 from last year)
6. 123456789 (Unchanged from last year)
7. football (Up 3)
8. 1234 (Down 1)
9. 1234567 (Up 2)
10. baseball (Down 2)
11. welcome (New to the list)
12. 1234567890 (New)
13. abc123 (Up 1)
14. 111111 (Up 1)
15. 1qaz2wsx (New)
16. dragon (Down 7)
17. master (Up 2)
18. monkey (Down 6)
19. letmein (Down 6; also: really?)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New; hello, “Force Awakens” fans)

What’s even worse is the prevalence of some of the most vulnerable passwords for multiple years in a row—in 2013, ‘123456’ and ‘Password’ also topped the list. Yes, it’s a pain to create (much less remember) a complicated password with lots of numbers and special characters—but it’s nothing compared to the pain of having your online accounts compromised. And if you’re interested in creating a truly secure password, check out this nifty project from developer/writer David Bolton.