The most popular passwords are the easiest ones to crack because they're so prevalent, and also because they're incredibly simple. It makes you wonder, who's actually using "123456" to secure access to an account? Surely no one would be that foolish, right? To the contrary (kind of), that string of digits
once again tops the annual list of most-used passwords compiled by NordPass, earning the distinction of being the "world's worst password."
This is the sixth time that NordPass has put together a list of the top 200 most common passwords, which are sorted by ranking. The list also includes details on the time it takes to crack each one, and the number of accounts being used. The password manager maker teamed up with NordStellar to review and analyze a sizeable 2.5TB database "extracted from various publicly available sources," and that includes the dark web.
"We analyzed passwords stolen by malware or exposed in data leaks. In most cases, they were leaked with email addresses, allowing us to distinguish between corporate and personal credentials by domain name," NordPass explains in a blog post.
As you can see, "123456" sits atop with it being found on over 3 million accounts. It's taken pole position five out of the six times this list has been compiled. Equally concerning, it takes less than a single second to crack such a password, along with many others on the list, including the top 27 most used ones. And others that are high on the list are derivatives of 2024's worst password, like "123456789" at number two and "12345678" at number three.
Some of the passwords that made the list take longer than a second to crack—they can take minutes, hours, or even days. For example, "g_czechout" is ranked number 157 and takes 12 days to crack.
Regardless of the length of time, you shouldn't be using any passwords that are on the list. That may seem obvious, and if that's the case, why do so many people continue to use incredibly weak passwords? While not covered in the blog post, we can think of multiple reasons.
One is simply convenience, as it's easier to remember a simple password versus a complex one. We also suspect that some of the more rudimentary ones are simply the result of people creating throwaway account logins to access a site that requires an account, as opposed to an attempt to secure an account that actually matters, like a banking site.
In any event, if you're using any of the
passwords on this list for anything important, do yourself a solid and change it right away.