For security professionals, passwords can be either a pleasant surprise or an unfortunate reminder of how seriously end users take their security credentials—and usually it’s the latter.
Nordpass has released their annual Top 200 Most Common Passwords list, which acts as an annual reminder that creating strong passwords is still something that, for whatever reason, many people struggle with. The list provides the most common passwords across 50 countries and includes information about how many times the passwords are used and how long they take to crack.
The most common password from last year, 123456, holds onto the top spot. In fact, in the United States, over one million more users decided this was a good password to use in 2021. The majority of the rest are repeats, although the third most used password of 2020, picture1, has fallen off the list. The top ten most common passwords from the United States and around the globe are below.
2021 Most Common Passwords – United States
123456 – Less than one second to crack, 3.5M+ uses counted
Password – Less than one second to crack, 1.7M+ uses counted
12345 – Less than one second to crack, 958K+ uses counted
123456789 – Less than one second to crack, 873K+ uses counted
password1 – Less than one second to crack, 666K+ uses counted
abc123 – Less than one second to crack, 610K+ uses counted
12345678 – Less than one second to crack, 440K+ uses counted
qwerty – Less than one second to crack, 382K+ uses counted
11111 – Less than one second to crack, 369K+ uses counted
1234567 – Less than one second to crack, 356K+ uses counted
2021 Most Common Passwords – All Countries
123456 – Less than one second to crack, 103M+ uses counted
123456789 – Less than one second to crack, 46M+ uses counted
12345 – Less than one second to crack, 32M+ uses counted
qwerty – Less than one second to crack, 22M+ uses counted
password – Less than one second to crack, 20M+ uses counted
12345678 – Less than one second to crack, 14M+ uses counted
111111 – Less than one second to crack, 13M+ uses counted
123123 – Less than one second to crack, 10M+ uses counted
1234567890 – Less than one second to crack, 9.6M+ uses counted
1234567 – Less than one second to crack, 9.3M uses counted
Additional common passwords include names, sporting teams (Liverpool is a popular password), automobile brands, swear words and animals. Bands are also popular, with Metallica and Slipknot coming in as the top two most common, and with One Direction making a reappearance after falling off the list last year.
The full list of the 200 most common passwords is available at https://nordpass.com/most-common-passwords-list/. If you see your password on the list (which we hope you don’t), you can use their password generator to create stronger credentials.
Password Best Practices
We know that the notion of password security is nothing new but, as we saw above, insecure passwords continue to be low hanging fruit for threat actors. To help keep password security in focus as we end the year, our cybersecurity team is sharing some best practices for creating secure passwords and policies below:
Avoid Bad Passwords
See the list above? Do not be on the list.
If only it were that simple, right? In all seriousness, good passwords are always necessary. Yet, they are increasingly hard to come by. A good first starter tip for creating a secure password is to avoid those that are easily guessable. Some of the worst type of passwords we have encountered include:
Season / Month / Year
Variations of “Password”
Implement Password Blacklists
Even with secure password policies in place, end users can make passwords that still include common terms or phrases. One of the growing security measures organizations are utilizing to combat this challenge is called password blacklisting. This tactic restricts the choice of potential passwords, removing common phrases and terms, as well as variations that use special characters and/or numbers, from the list. Senior IT Auditor Sarah Hudak touches on password blacklists in one of our recent videos from our Top Cybersecurity Questions of 2021 video series below.
We recommend end users think about passwords as passphrases. Look beyond password criteria such as length, numbers and special characters, and think about something that only you would know. Put together random words from a personal story or memory. Stringing along several small words can increase password complexity and meet most length requirements. Remember, a secure password is not automatically secure because it meets a site’s requirements. It is secure if it is something only you would know.
Use Password Management Software
We know how hard it can be to remember all of your passwords, especially with the amount of unique requirements from different sites. One way to make it easier is to use password management software, which acts as a master lock of sorts for your passwords. Password managers not only add a layer of convenience to password security, but many also help you create strong passwords with stringent requirements. And no, writing passwords on a slip of paper that you hide under your keyboard is not a password management solution.
Create Multiple Passwords
If you are not using a password manager, having unique passwords for accounts is an absolute must. One of the first things threat actors do when stealing a password is to see which other accounts it might crack Using a strategy known as credential stuffing, attackers will see how many accounts they can compromise with stolen credentials to increase their earning potential. If you take a moment to think about how many accounts you have that use the same password and username/email address, chances are you can see the potential damage of having one password.
Update Security Questions
Security questions commonly used to protect our accounts. However, with our digital footprints and information strewn throughout social media and search engines today, they can be easy targets for threat actors. Think about some of the most common questions asked and where the answers can be found, including:
Birthday – Social media, public records
Where did you and your spouse meet – Social media, wedding registry sites
What high school did you go to – Social media, public record, alumni associations
What was your first job – Social media, professional biographies
Pretty concerning, right? Remember to treat the answers to these questions as you would a password and update them frequently.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.