- The 200 most common passwords range from bad (qwerty) to worse (xxx).
- Consider changing your passwords if you use one of those on this list (or similar words).
- Making passwords longer and more knotty is a matter of simple math.
If you’re still using weak passwords for convenience, you might as well leave your front door unlocked. And if you see any of your passwords on this annual list of the 200 most common passwords, you too practically leave the door open. From “123456” to “qwerty”, if you spot your password in this list, you’ll seriously want to consider changing it and setting up multi-factor authentication, the digital equivalent of changing locks.
The list of common passwords is from NordPass, a Panama City-based password management company that naturally has a password management service that it wants to sell to you. You don’t necessarily need to buy this type of software to create and track responsible passwords for you, but you should definitely heed the warnings in this report: Data leaks just keep on increasing, like evidenced by Leak “RockYou2021”, which reportedly saw 8.4 billion passwords posted on a popular hacker forum.
NordPass says it compiled its list with the help of independent cybersecurity researchers, who evaluated a database containing 4 terabytes of data (one terabyte, for context, is enough space to hold 1,000 copies of the Encyclopedia Brittanica).
Here are the 20 most common passwords:
- the password
See a common theme here? A lot of it comes down to effort, but it’s worth the extra time to enter a good password. Common password lists give hackers an advantage, after all. Imagine that instead of passwords, you tried to guess a person’s lucky number. You would start with what you think are common lucky numbers, so maybe lucky number seven for a person in the United States. If one in ten people have a lucky number seven, you are betting the odds by guessing first.
On this list of common passwords, over 100 million people have used the best example, “123456”. This means that trying this password first is extremely likely to work. If there were a billion accounts in total, you reduce your odds from one in a billion to one in ten by guessing that most common password first.
The list also shows how common some passwords are. appear delicate at first glance. For example, “qazwsxedc” looks random until you realize that it is just vertical lines on the keyboard starting with “q”. The same goes for “q1w2e3r4”, which involves going from “q” to “1” and then back to “w” again in a row. NordPass confirms that these passwords take even less than a second to crack, although users probably feel like they’ve chosen something more secure than just “qwerty”.
Let’s look at some of the “best” entries on the worst password list to see why they are at least. less bad on our way to stronger passwords.
One of the most common passwords that take the longest to crack is “myspace1” at three hours. After that, “1g2w3e4r” at three o’clock, “gwerty123” at three o’clock, “michelle” at three o’clock, “jennifer” at two o’clock, and “zag12wsx” at one o’clock. What’s interesting is that several of these – “1g2w3e4r”, “gwerty123” and “zag12wsx” – are just a few of the worst passwords, but typed on keyboards with GWERTY keyboards rather than QWERTY. Only a few dozen of the world’s languages use Q, and some only use it in borrowings from languages like English.
➡️ How to create a better password
To create a stronger password and not be on next year’s list, follow these infallible advice:
Do not use personal information like names or numbers of pets, especially your address, social security, phone number, or birthday. This information is often exposed online as it is needed to complete most basic forms. Therefore, you should assume that hackers may have this information about you in their hands.
?? Avoid using real words. The tools used to crack passwords are quite good at processing dictionary words, as well as alphanumeric combinations of letters and numbers. So, rather than using a common name or term, use special characters such as “&” and “$”. While this is a good start to replacing letters with special characters that match closely, such as swapping an “S” for a “$”, it is the most obvious variation of these dictionary expressions. The more creative you are, the less likely it is that a password cracker will help bad actors guess your combination.
The longer, the better. Aim for at least ten characters.
Make common sentences more complicated. Think of something that you will easily remember, like a phrase from a song, and make it harder to guess. So turn “100 beer bottles on the wall” into “100BoBotW”.
Do not write down your passwords. Seriously, no. Use a password manager to keep encrypted copies of all your usernames and passwords on your browser. Google Chrome does this on its own if you sign up, but there are paid third-party options as well.
?? Change your password regularly. Many company-level employers actually require you to change passwords on your accounts to keep the entire organization secure. You should also do this in your spare time, especially for your financial accounts. This is because passwords are made public after a data breach and username / password combinations are sold on the darknet. The longer your password stays there and gets bad, the better the chance it will be exposed to a breach.
Do not reuse passwords. If a hacker hacks your login information for a website, all of your accounts will be compromised. If you have a hard time coming up with something, use a random password generator, which takes advantage of the settings you ask it to use. We recommend this one.
Beware of using public devices or networks. Never enter your password on someone else’s computer if you can help them. And when using public WiFi, avoid sites that require you to log in, especially if it’s a bank or other financial service. If you absolutely must use a public device or network, be sure to use a virtual private network, or VPN, to secure your connection.
Use two-factor authentication: This is a method of verifying your identity using more than one type of verification. Some types of two-factor authentication, or 2FA, include:
- Something you know: a PIN code, password or pattern.
- Something you have: an ATM or credit card, cell phone, or security token (such as a YubiKey).
- Something that you are: a biometric form of authentication, such as your fingerprint, voice, or face.
Test your password: You can test the strength of your password by visiting This site and typing it. Don’t worry, the site doesn’t create a password repository because your information is never sent over an internet connection (you don’t even have to press “Enter” or click a button to see your result). The coolest part? As you type, the software tells you approximately how long it would take a computer to find your password. The site turns red if your password is weak, but slowly turns green as you strengthen it. It will even give you tips on how to improve your password security.
So just adding a different letter, “g” instead of “q”, immediately cuts those terrible passwords up a notch! This aligns with NordPass’ general password advice and explains why more and more websites require at least one uppercase letter, at least one number, at least one special character, and no repeated letters or numbers.
“A complex password is a password that contains at least 12 characters and a varied combination of upper and lower case letters, numbers and symbols,” explains NordPass. The length requirement is a simple calculation: the more characters to guess, the longer it takes to force them all. (Imagine watching a hangman game that only has six white versus 16 or even 26 – what could be more intimidating?)
The “varied combination” part is also a simple calculation. The worst passwords are all easily identifiable sequences that follow human logic. These are rows or columns on the keyboard, or simple words or terms, like names, famous groups or sports teams. A varied combination of all types of characters is immediately much more difficult to guess. A hacker can’t just browse through a dictionary, the most common names of women, or hockey teams.
Instead, each character requires you to guess the 26 lowercase and uppercase letters, all punctuation, and all special characters such as “$” and “%”. Multiply that by the total length of the password and it’s easy to see the complexity building up. NordPass also suggests changing your passwords every 90 days and not reusing any passwords on different websites.
You might be wondering how someone is supposed to keep track of these many different passwords, and you are not alone. This is, while certainly not a sales pitch, exactly why products like NordPass’s password manager exist in the first place. These secure programs can generate complex passwords and collect them all in a safe place for your computer to use.
Now watch this:
This content is created and maintained by a third party, and imported to this page to help users provide their email addresses. You may be able to find more information about this and other similar content on piano.io