For years, we’ve been told to avoid using some easily guessed passwords. Some of us haven’t gotten the message.
Yes, “password,” “123456” and the only-slightly-more-complex “123456789” were listed as some of the most common password choices worldwide in 2023, according to a report from NordPass, a password-management software company launched in 2019. Those passwords are frequent offenders on the list of easiest-to-crack passwords in each of the five years of the report.
Despite the fact that it takes less than a second to crack the code, more than 4.9 million people used “password,” according to NordPass — 44,484 of whom live in the United States. “Password” was, believe it or not, second place for American users, as 83,429 people preferred “123456.”
Seventy percent of the passwords on the list could be cracked in less than a second.
“People indeed use ‘123456’ for their passwords, despite continuous cybersecurity experts’ warnings,” Tomas Smalakys, CTO of NordPass, told MarketWatch via email. “Interestingly, this password was ranked the most common among internet users four out of five times in this five-year period. Only last year, the password ‘password,’ which is no better in terms of security, was named the world’s most common password.”
NordPass said that it “evaluated a 4.3TB database extracted from various publicly available sources, including those on the dark web” in order to come up with this list. They also looked at a 6.6TB database of stolen passwords gleaned from malware logs. The research was done in partnership with independent researchers specializing in research of cybersecurity incidents.
The list of worst passwords contains a few similarities. First of all, easy-to-guess passwords can often contain simple patterns — a sequence of repeating numbers, or the keys on a keyboard. NordPass found that 31% of the passwords on the list contained numerical sequences.
Other passwords to avoid include names; simple words such as “pokemon,” “computer” and “baseball”; and common phrases such as “iloveyou.” Not even the man of steel is bulletproof when it comes to protection; “superman” was found more than 13,000 times, and could be broken in less than a second.
Malware was a point of concern for researchers in the report, as it can cause significant headaches, even for those serious about password integrity. Essentially, passwords stored on web browsers or on computers could be at risk from a malware attack.
“Once someone’s computer gets infected with malware, a person risks losing a vast amount of personal information, including passwords and other credentials saved on the browser,” the report noted. “Researchers note stealer malware attacks are considered a huge threat to people’s safety online, recommending internet users to think carefully about their password storage, in addition to password strength.”
The silver lining is that people don’t tend to use bad passwords when it comes to important information. The weakest passwords are being used for streaming accounts, while the strongest passwords are often used for financial accounts.