The Top Ten Most Common Passwords of 2022

What were the most commonly used passwords of 2022?

NordPass recently released their Top 200 Most Common Passwords list. The list includes several old favorites, including 123456 and password, but also gave way to some new ones as well like Euphoria and Encanto. The annual list offers a comprehensive breakdown of common passwords by country, gender and even the average time it takes to crack the listed passwords.

The most common password across all countries polled is… password, which took the top spot from 123456, the most common password of 2021 and 2020. Prior to 2020, the most common password in the world was 12345.

In the United States, the most common password of 2022 was guest with password coming in fourth place. 12345 and 123456 are also on the list. For a comparison, the top ten most common passwords of the United States and the rest of the countries are listed below.

Source: https://nordpass.com/most-common-passwords-list/

Did you see one of your passwords on the list?

Even if you didn’t, chances are people within your organization are using some of these passwords. Here are some helpful tips from our team on keeping your passwords secure… and off these lists in the future.

Implement Strong Password Policies

If you look at the most common passwords over the past few years, it seems quite evident that people are simply typing the easiest word/numerical sequence to meet their policy character requirements.

Password (8 characters), 123456 (6 characters), 12345 (5 characters)… clearly not secure at all, but the thought process seems quite likely that their password choice is simple and easy to remember.

This is a prime example of a policy that may sound secure but is setting up their systems to be easily breached.  With easily guessed passwords being a common avenue for a hacker to breach systems, it is extremely important to maintain rigorous password policies that maintain requirements for strong and complex passwords. 

Consider that a hacker’s time is valuable and if they have to spend considerable time trying to crack passwords that are complex, they will likely avoid wasting it if they deem that effort to be futile and they’ll move on to the next potential target.

Requirements can include special characters, capitalization, and restricting any numerical/letter sequences – especially given that six of the top ten most common passwords in 2022 are repetitious or numerical sequences.  

Develop Password Blacklists

Another way to force stronger passwords is to blacklist words or phrases. These can include common words like password and guest, but also phrases or words associated with a company or location that may sound secure but are easily guessable with any knowledge of a company’s background or location.  Sports teams, flagship products and company names are a great place to start in terms of blacklisting terms specific to an organization.

For example, FlyEaglesFly may not appear on this list, but if you’re a Philadelphia-based company, it may be prudent to consider blacklisting that phrase.

Create Passphrases

Another alternative is passphrases. As our previous article discussed, passphrases are something only you would know and, in many cases, meet password policy requirements in terms of character count. Remember, a secure password is not automatically secure because it meets a site’s requirements. It’s level of security is based on its uniqueness, such as, something only you would know, that makes it very difficult to guess or crack.

Require Multi-Factor Authentication (MFA)

MFA became commonplace due to the shift to remote work during the pandemic and is a great way to supplement your password security. MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login purposes.  Most commonly, MFA contains a combination of “something you know”, such as a password, and “something you possess”, such as a mobile phone. 

Secondary credentials can be a user or company-defined password, a randomly generated code from an app, phone call, email or simply a tap on a smart device. The requirement of a secondary action not only helps protect unauthorized access but can act as an alert that a breach is being attempted with compromised passwords.

Use Password Management Software

Another option to increase password security is to use password management software. The software acts as a master lock of sorts for your passwords and not only adds a layer of convenience to password security, but helps you create strong passwords with stringent requirements.

And no, writing passwords on a slip of paper you hide under your keyboard at home is not a secure password management solution. Just ask Saul Goodman.

If you have any questions about how to strengthen your password policies or if you’re concerned your  organization’s credentials aren’t  the most secure, feel free to contact our team at [email protected].

Related Links

• NordPass – Top 200 Most Common Passwords
• Schneider Downs – What Are the Most Common Passwords of 2021?

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected]. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.