Based an analysis of the lists of passwords that have been leaked by various sites during the year, SplashData says these are the most common:
You can bet that anyone trying to break into one of your online accounts will try these first, so don't use them.
Just as a refresher: SplashData recommends that you should pick passwords or passphrases with at least 12 characters and mixed types of characters (ie, include upper and lower case, digits, and 'specials' such as !, % or ^), avoid using the same password on different sites (if someone gets into one of your accounts, they'll start testing the same password against other services), and use a password manager to generate random passwords and save you having to remember them all.
The company does make password managers, but we won't hold that against them. If you've got more than a very few passwords, a password manager is almost essential unless you have an unusually good memory. Another benefit is that it will also help protect you from phishing attempts - the destination site might be a sufficiently good copy to fool you, but the password manager won't enter your credentials because the domain name is wrong.