Internet security firm Trustwave knows your password, if it happens to be “Password1.”

It turns out that is among the most popular password choices now in use on websites and work computers — even more popular than old favorites like “qwerty” and “asdf.”

The security firm noted around 5% of all Internet passwords include a variation on the word “password.”  Second runner-up?  “Welcome,” which appears more than 1% of the time.

But why “Password1”?

Website password security has gotten increasingly robust in recent years, now demanding users include at least one capital letter and number.  “Password1” also stays within the usual requirements for passwords longer than six characters (and often fewer than 10).

The West Australian newspaper reports:

Exploiting weak or guessable passwords was the top method attackers used to gain access last year. It played a role in 29% of the security breaches Verizon’s response team investigated.

Verizon’s scariest finding was that attackers are often inside victims’ networks for months or years before they’re discovered. Less than 20% of the intrusions Verizon studied were discovered within days, let alone hours.

Even scarier: Few companies discovered the breach on their own. More than two-thirds learned they’d been attacked only after an external party, such as a law-enforcement agency, notified them. Trustwave’s findings were almost identical: Only 16% of the cases it investigated last year were internally detected.

So if your password is something guessable, what’s the best way to make it more secure? Make it longer.

Adding complexity to your password — swapping “password” for “p@S$w0rd” — protects against so-called “dictionary” attacks, which automatically check against a list of standard words.