Cybersecurity

The most common password is no longer ‘password,’ but don’t get your hopes up

Users might have used “password” slightly less, but they’re swapping it for worse.
article cover

Illustration: Dianna “Mick” McDougall, Photo: Getty Images

ByTom McKay

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The eternal game of musical chairs continues: Credential management firm NordPass has released its annual list of the top 200 most common passwords, and while the order may have shuffled around a little, they’re as weak as ever.

In last year’s NordPass roundup, the word “password” came out on top. In 2023, “password” fell to seventh place, though it’s not like it was replaced by anything better.

The top 10 passwords, according to NordPass, consisted mostly of variations on counting upward from one:

  1. 123456
  2. admin
  3. 12345678
  4. 123456789
  5. 1234
  6. 12345
  7. password
  8. 123
  9. Aa123456
  10. 1234567890

It remains as unsurprising as ever that the most common passwords are so weak, given that the whole point of a password is to make it hard for someone else to guess.

Nordpass’s analysis was based on a 4.3 terabyte database of leaked credentials from “various publicly available sources, including those on the dark web,” from as many as 35 countries—which might explain the abundance of number-based passwords that don’t run into language barriers.

An attacker could crack every single one of these passwords in under a second, NordPass researchers wrote. (In 11th place was the password “UNKNOWN,” which actually takes around 17 minutes to crack.)

NordPass customers in the US only had one particularly unusual password come up in their list of favorites: “shitbird.” As The Register noted, their UK counterparts often used the name of soccer teams.

Reused, or default, passwords consistently rank as one of the (if not the) biggest cybersecurity problems in studies and surveys of IT experts. Poor password management practices are also one of the main factors enabling credential stuffing attacks, where an attacker reuses compromised credentials from one source on other accounts and devices at scale.

Surveys have also shown that IT experts can be just as sloppy as laypeople when it comes to password practices: A 2021 Constella report on 100+ global cybersecurity leaders, all senior to C-suite in rank, found 24% reused the same passwords at work and for personal use.

While one clear solution is ditching passwords entirely and moving to other methods like passkeys and device-based multifactor authentication, that’s easier said than done. A recent survey of 300 IT and cybersecurity experts across the US by privileged access management vendor Delinea found 68% think passwords aren’t dead as security technology, while 15% think they’ll be used forever.

Just 30% of respondents to the Delinea survey said their organizations had already begun transitioning away from passwords, with 57% estimating they would begin the process within one to four years and a third saying they’ll never transition to other authentication methods entirely.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B