If any of your passwords are on this list, then shame on you — and go change them now. Bad dog!

SplashData, which makes password-management applications, has released its annual Worst Passwords list compiled from common passwords that are posted by hackers. The top three — “password,” “123456″ and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1″ and “welcome.” Other passwords have moved up and down on the list.

The most surprising addition is probably “welcome.”

“That means people are not even changing default passwords,” SplashData CEO Morgan Slain tells TIME Tech. “It doesn’t take that much time to make a new password.”

You should have different passwords for all your accounts. To make it easier to remember them all, Slain suggests thinking about passwords as “passphrases.” For instance, use a phrase like “dog eats bone” and add underscores, dashes, hyphens and other punctuation marks to satisfy the special-character requirement: “dog_eats_bone!”

Here’s the full list:

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12. trustno1
  13. 1234567
  14. sunshine
  15. master
  16. 123123
  17. welcome
  18. shadow
  19. ashley
  20. football
  21. jesus
  22. michael
  23. ninja
  24. mustang
  25. password1