The Top Ten Most Common Passwords of 2022

What were the most commonly used passwords of 2022?

NordPass recently released their Top 200 Most Common Passwords list. The list includes several old favorites, including 123456 and password, but also gave way to some new ones as well like Euphoria and Encanto. The annual list offers a comprehensive breakdown of common passwords by country, gender and even the average time it takes to crack the listed passwords.

The most common password across all countries polled is… password, which took the top spot from 123456, the most common password of 2021 and 2020. Prior to 2020, the most common password in the world was 12345.

In the United States, the most common password of 2022 was guest with password coming in fourth place. 12345 and 123456 are also on the list. For a comparison, the top ten most common passwords of the United States and the rest of the countries are listed below.


Did you see one of your passwords on the list?

Even if you didn’t, chances are people within your organization are using some of these passwords. Here are some helpful tips from our team on keeping your passwords secure… and off these lists in the future.

Implement Strong Password Policies

If you look at the most common passwords over the past few years, it seems quite evident that people are simply typing the easiest word/numerical sequence to meet their policy character requirements.

Password (8 characters), 123456 (6 characters), 12345 (5 characters)… clearly not secure at all, but the thought process seems quite likely that their password choice is simple and easy to remember.

This is a prime example of a policy that may sound secure but is setting up their systems to be easily breached.  With easily guessed passwords being a common avenue for a hacker to breach systems, it is extremely important to maintain rigorous password policies that maintain requirements for strong and complex passwords. 

Consider that a hacker’s time is valuable and if they have to spend considerable time trying to crack passwords that are complex, they will likely avoid wasting it if they deem that effort to be futile and they’ll move on to the next potential target.

Requirements can include special characters, capitalization, and restricting any numerical/letter sequences – especially given that six of the top ten most common passwords in 2022 are repetitious or numerical sequences.  

Develop Password Blacklists

Another way to force stronger passwords is to blacklist words or phrases. These can include common words like password and guest, but also phrases or words associated with a company or location that may sound secure but are easily guessable with any knowledge of a company’s background or location.  Sports teams, flagship products and company names are a great place to start in terms of blacklisting terms specific to an organization.

For example, FlyEaglesFly may not appear on this list, but if you’re a Philadelphia-based company, it may be prudent to consider blacklisting that phrase.

Create Passphrases

Another alternative is passphrases. As our previous article discussed, passphrases are something only you would know and, in many cases, meet password policy requirements in terms of character count. Remember, a secure password is not automatically secure because it meets a site’s requirements. It’s level of security is based on its uniqueness, such as, something only you would know, that makes it very difficult to guess or crack.

Require Multi-Factor Authentication (MFA)

MFA became commonplace due to the shift to remote work during the pandemic and is a great way to supplement your password security. MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login purposes.  Most commonly, MFA contains a combination of “something you know”, such as a password, and “something you possess”, such as a mobile phone. 

Secondary credentials can be a user or company-defined password, a randomly generated code from an app, phone call, email or simply a tap on a smart device. The requirement of a secondary action not only helps protect unauthorized access but can act as an alert that a breach is being attempted with compromised passwords.

Use Password Management Software

Another option to increase password security is to use password management software. The software acts as a master lock of sorts for your passwords and not only adds a layer of convenience to password security, but helps you create strong passwords with stringent requirements.

And no, writing passwords on a slip of paper you hide under your keyboard at home is not a secure password management solution. Just ask Saul Goodman.

If you have any questions about how to strengthen your password policies or if you’re concerned your  organization’s credentials aren’t  the most secure, feel free to contact our team at [email protected].

Related Links

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected]

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Norton Believes Credential Stuffing Attack Led to LifeLock Breach
Why Cybersecurity Programs are Facing Increased Scrutiny from Private Equity Firms
Start The New Year Off Secure: 5 Cybersecurity Resolutions for 2023
TikTok: Spreading Holiday Cheer and Personal Information
Cybersecurity BY David Murphy
Key Benefits of Server Message Block Signing
SEC and PCAOB Developments Conference Day 1
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.