Security Report Reveals The Top 200 Weak Sauce Passwords You Could Possibly Use
You probably don't need an official list to tell you that "123456" is an incredibly weak password (unless you're a CEO, apparently), or that extending it out to "12345678" or even "123456789" are nearly as anemic when it comes to account security. Nevertheless, the folks at NordPass have published an annual list of the top 200 most common passwords, which doubles as a list of the worst passwords you could ever use.
In partnership with independent researchers specializing in cybersecurity, NordPass pored over 4.3TB of data extracted from publicly available sources, and that includes leaked data on the dark web. It also evaluated a 6.6TB database of passwords that had been compromised by various stealer malware, such as Redline, Vidar, Taurus, and several others.
"No personal data was acquired or purchased by NordPass to conduct this study," the security outfit assures.
The majority of passwords that made the list can be cracked in under a second. A handful take a little longer—most of those range from a few seconds to a few minutes, though the longest one to crack on the list ("admintelecom") apparently takes 23 days.
Here's a look at the top 10 most common passwords, along with how long it takes to crack and the number of times the password was found to be used...
The easy assumption is that these and the rest of the passwords on the list are simply for convenience on unimportant accounts. However, that's not necessarily true.
"For five years, at NordPass we've been mapping out password habits. Sometimes they feel like old tunes that never fade. This year, though, there's an extra layer to the story. We've noticed some patterns, especially on certain platform categories," NordPass explains.
One would think that passwords used to log into financial websites would be more secure. And they probably are for the most part, though not exclusively—when sorted by category, "UNKNOWN" and "12345678" rank as some of the more popular weak passwords used.
NordPass also listed some eye-opening stats that it says indicate a password problem. For example, 24 billion credentials have been breached since 2016. Additionally, some 86% of all web attacks use stolen credentials, and 18% of the most common items for sale on the dark web include online accounts, emails, and passwords.
The security outfit makes a pitch that it's time to say goodby to traditional passwords and embrace passkeys. That said, it recommends that passwords should be at least 20 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. It also says you should avoid using easily guessable information such as birthdays, names, or common words. And of course it's pushing the use of a password manager, and specifically its own.
You can check out the full list of weak passwords and if yours is on there, change it ASAP.