NordPass teamed up with the threat exposure management platform NordStellar to analyze a 2.5TB database of passwords extracted from public sources, including data leaks and malware-compromised accounts. The world's most popular passwords remain "alarmingly predictable and insecure," according to a new report.
By looking at the email addresses associated with the accounts, the researchers were able to distinguish between personal versus corporate passwords. For a second year in a row now, the password "123456" has retained its position as the most used password in the world.
Apart from "123456", several other more obvious easily-guessed passwords made it to the top 10, including "123456789," "qwerty123," "111111," and the more interesting "password."
Users give a window into what people are interested in and what they like. Sports team names such as "liverpool" in the UK and the restaurant "lizottes" in Australia appeared on the lists for those countries. The Finnish and Hungarian translations for "password" - "salasana" and "jelszo" - featured prominently in those nations.
While a small minority attempted to get a little fancier with choices such as "P@ssw0rd", these measures still proved insufficient. The researchers report that these 'safe' passwords can be cracked in less than a second.
Here are the top 10 most common passwords:
123456 123456789 12345678 password qwerty123 qwerty1 111111 12345 secret 123123
"After analyzing 6 years of data, we can say there hasn't been much improvement in people's password habits," the NordPass team said. "So, despite many organizations trying to raise awareness, the problem is as alive as ever."
NordPass says that if your password is on this list, you should probably change it to something more creative that is also more secure, or maybe even try passkeys. A new form of authentication backed by Apple, Google and Microsoft, passkeys are a much more secure option than passwords. Rather than requiring users to create and remember complex strings of characters, they rely on biometric data or device-specific cryptographic keys to authenticate users.