Will we ever learn? Despite repeated reminders about the importance of using strong passwords online, many of us are putting our personal data at risk by using pathetically weak passwords like “123456” and yes, “password.”

Those two passwords earned top spots on security appliance firm SplashData’s Worst Passwords of 2015 list. The fifth annual report is compiled from more than 2 million passwords that were leaked during the year. Other bad passwords on the list include sports fan favorites “baseball” and “football.”

Because more sites are requiring eight-digit passwords, the use of "12345678" is up (hardly a step above perennial favorites "12345" and "123456"). Other new (bad) favorites this year are “starwars,” “princess” and “solo.” (Yes, Star Wars fans, everyone else thought of these, too.)

The next time you think using "solo" or “qwerty” as your bank account password is a good idea, think again. SplashData and the National Cyber Security Alliance offer these five tips for making a better choice.

Related: Your Email Got Hacked — Now What?

1. Use passwords that are 12 characters long, with a mix of characters and numbers and uppercase and lowercase letters. The longer the password, the longer it will take a password-cracking algorithm to guess your password, according to the National Cyber Security Alliance. But don’t just add length and use 123456789101112. “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” SplashData CEO Morgan Slain said in a press release.

2. Don’t use the same password for multiple sites. In other words, your email password should be different than the one you use for your bank account which should be different from your Facebook password. “This will also lessen the time you have to spend on damage control if one of your passwords is hacked, as you will only need to change one password instead of them all,” the National Cyber Security Alliance says.

3. Use a password manager to organize passwords and generate random ones.

4. Change your passwords every six months. The National Cyber Security Alliance says ideally you should do this every 60 days, but every six months is much better than never.

5. Use passwords that aren’t found in the dictionary. In other words, the best passwords aren’t words, but a random jumble of characters. Hackers can launch a “dictionary” attack that uses brute computer power to rapidly guess millions of possible common word combinations. (So even "starwarssolo" is not safe.)

The National Cyber Security Alliance has a list of password no-no’s, such as using all or part of your name in a password, using passwords with all one number or letter (i.e. 111111) and creating passwords shorter than six characters.

One last tip: Many sites allow you to save your login information. But saving this info can make it easier for hackers to steal it.

Related: 8 Ways to Protect Yourself on Social Networks

How safe or stupid are your password habits? Take our 20-second survey. And check out the full list of the top 25 bad passwords below it.

password infographic(Photo: TeamsID/TeamsID)

Like this article? Share it with friends by clicking the Facebook or Twitter button below. And don't forget to visit our Facebook page!

Angela is a Pulitzer Prize-winning digital editor with more than 15 years of experience delivering news and information to audiences worldwide. Prior to joining SafeBee, she was the features editor for Boston.com at The Boston Globe, overseeing health, travel, entertainment, business and lifestyle coverage. Before moving to features, she was the news and homepage editor, covering stories such as the Boston Marathon bombing, Red Sox World Series victories, presidential elections, a papal inauguration, and more. Her favorite safety tip: Clean your phone! The average cell phone has 18 times more germs than the toilet handle in a men’s restroom.