What Are The Most Common Passwords of 2021?

For security professionals, passwords can be either a pleasant surprise or an unfortunate reminder of how seriously end users take their security credentials—and usually it’s the latter.  

Nordpass has released their annual Top 200 Most Common Passwords list, which acts as an annual reminder that creating strong passwords is still something that, for whatever reason, many people struggle with. The list provides the most common passwords across 50 countries and includes information about how many times the passwords are used and how long they take to crack.

The most common password from last year, 123456, holds onto the top spot. In fact, in the United States, over one million more users decided this was a good password to use in 2021. The majority of the rest are repeats, although the third most used password of 2020, picture1, has fallen off the list. The top ten most common passwords from the United States and around the globe are below.

2021 Most Common Passwords – United States

  1. 123456 – Less than one second to crack, 3.5M+ uses counted
  2. Password – Less than one second to crack, 1.7M+ uses counted
  3. 12345 – Less than one second to crack, 958K+ uses counted
  4. 123456789 – Less than one second to crack, 873K+ uses counted
  5. password1 – Less than one second to crack, 666K+ uses counted
  6. abc123 – Less than one second to crack, 610K+ uses counted
  7. 12345678 – Less than one second to crack, 440K+ uses counted
  8. qwerty – Less than one second to crack, 382K+ uses counted
  9. 11111 – Less than one second to crack, 369K+ uses counted
  10. 1234567 – Less than one second to crack, 356K+ uses counted

2021 Most Common Passwords – All Countries

  1. 123456 – Less than one second to crack, 103M+ uses counted
  2. 123456789 – Less than one second to crack, 46M+ uses counted
  3. 12345 – Less than one second to crack, 32M+ uses counted
  4. qwerty – Less than one second to crack, 22M+ uses counted
  5. password – Less than one second to crack, 20M+ uses counted
  6. 12345678 – Less than one second to crack, 14M+ uses counted
  7. 111111 – Less than one second to crack, 13M+ uses counted
  8. 123123 – Less than one second to crack, 10M+ uses counted
  9. 1234567890 – Less than one second to crack, 9.6M+ uses counted
  10. 1234567 – Less than one second to crack, 9.3M uses counted

Additional common passwords include names, sporting teams (Liverpool is a popular password), automobile brands, swear words and animals. Bands are also popular, with Metallica and Slipknot coming in as the top two most common, and with One Direction making a reappearance after falling off the list last year.

The full list of the 200 most common passwords is available at https://nordpass.com/most-common-passwords-list/. If you see your password on the list (which we hope you don’t), you can use their password generator to create stronger credentials. 

Password Best Practices

We know that the notion of password security is nothing new but, as we saw above, insecure passwords continue to be low hanging fruit for threat actors. To help keep password security in focus as we end the year, our cybersecurity team is sharing some best practices for creating secure passwords and policies below:

Avoid Bad Passwords

See the list above? Do not be on the list.

If only it were that simple, right? In all seriousness, good passwords are always necessary. Yet, they are increasingly hard to come by. A good first starter tip for creating a secure password is to avoid those that are easily guessable. Some of the worst type of passwords we have encountered include:

  • Sports Teams
  • Birthdays
  • Pet’s Names
  • Season / Month / Year
  • Address
  • Regional Interests
  • Variations of “Password”
  • Incremented Passwords
  • Reused Passwords

Implement Password Blacklists

Even with secure password policies in place, end users can make passwords that still include common terms or phrases. One of the growing security measures organizations are utilizing to combat this challenge is called password blacklisting. This tactic restricts the choice of potential passwords, removing common phrases and terms, as well as variations that use special characters and/or numbers, from the list. Senior IT Auditor Sarah Hudak touches on password blacklists in one of our recent videos from our Top Cybersecurity Questions of 2021 video series below.


Create Passphrases

We recommend end users think about passwords as passphrases. Look beyond password criteria such as length, numbers and special characters, and think about something that only you would know. Put together random words from a personal story or memory. Stringing along several small words can increase password complexity and meet most length requirements. Remember, a secure password is not automatically secure because it meets a site’s requirements. It is secure if it is something only you would know.

Use Password Management Software

We know how hard it can be to remember all of your passwords, especially with the amount of unique requirements from different sites. One way to make it easier is to use password management software, which acts as a master lock of sorts for your passwords. Password managers not only add a layer of convenience to password security, but many also help you create strong passwords with stringent requirements. And no, writing passwords on a slip of paper that you hide under your keyboard is not a password management solution.

Create Multiple Passwords

If you are not using a password manager, having unique passwords for accounts is an absolute must. One of the first things threat actors do when stealing a password is to see  which other accounts it might crack Using a strategy known as credential stuffing, attackers will see how many accounts they can compromise with stolen credentials to increase their earning potential. If you take a moment to think about how many accounts you have that use the same password and username/email address, chances are you can see the potential damage of having one password.

Update Security Questions

Security questions commonly used to protect our accounts. However, with our digital footprints and information strewn throughout social media and search engines today, they can be easy targets for threat actors. Think about some of the most common questions asked and where the answers can be found, including:

  • Birthday – Social media, public records
  • Where did you and your spouse meet – Social media, wedding registry sites
  • What high school did you go to – Social media, public record, alumni associations
  • What was your first job – Social media, professional biographies

Pretty concerning, right? Remember to treat the answers to these questions as you would a password and update them frequently.

Did you find this article helpful? You may also be interested in our How Much Does a Data Breach Cost in 2021? article.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
SEC Charges SolarWinds and CISO Timothy Brown For Misleading Investors
Think Before You Click: Fake Browser Updates are Back in Style
Protect Your Manufacturers: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Students, Faculty and Staff: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Retail Business: 3 Common Cyber Attack Methods to Watch Out for in 2023
Cybersecurity in the Construction Industry
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.