NetSPI collected 90,977 domain hashes during their penetration tests this year. Of the collected hashes, 27,785 were duplicates, leaving 63,192 unique hashes. Of the total 90,977 hashes, we were able to crack 77,802 (85.52%). Out of those hashes they calculated the top 10 passwords used.

Here’s nine of the top passwords that we used for guessing during online brute-force attacks:

• Password1 – 1,446
• Spring2014 – 219
• Spring14 – 135
• Summer2014 – 474
• Summer14 – 221
• Fall2014 – 150
• Autumn14 – 15*
• Winter2014 – 87
• Winter14 – 63

*Fall14 is too short for most complexity requirements
Source: https://blog.netspi.com/netspis-top-cracked-passwords-for-2014/