NordPass has released the latest issue (the sixth version) of its Top 200 Most Common Passwords list. Jim Hillier reported on the list way back in 2020. Not much has changed. Weak passwords still top the list.
Methodology
NordPass complied the list with NordStellar, a threat exposure management platform owned by NordPass’s corporate parent Nord Security. They reviewed and analyzed a 2.5TB database extracted from various publicly available sources, including those on the dark web from 44 countries. They analyzed passwords stolen by malware or exposed to data leaks. In most cases, they were leaked with email addresses.
Since they had the domain name, they had the information to distinguish between corporate and personal credentials. Therefore, the worst corporate passwords are new in this sixth version of the list.
Personal
Here are the top 20 most popular personal passwords of 2024:
| Rank | Password | Time to crack | Count |
| 1 | 123456 | < 1 second | 3,018,050 |
| 2 | 123456789 | < 1 second | 1,625,135 |
| 3 | 12345678 | < 1 second | 884,740 |
| 4 | password | < 1 second | 692,151 |
| 5 | qwerty123 | < 1 second | 642,638 |
| 6 | qwertyl | < 1 second | 583,630 |
| 7 | 111111 | < 1 second | 459,730 |
| 8 | 12345 | < 1 second | 395,573 |
| 9 | secret | < 1 second | 363,491 |
| 10 | 123123 | < 1 second | 351,576 |
| 11 | 1234567890 | < 1 second | 324,349 |
| 12 | 1234567890 | < 1 second | 324,349 |
| 13 | 1234567 | < 1 second | 307,719 |
| 14 | 000000 | < 1 second | 250,043 |
| 15 | qwerty | < 1 second | 244,879 |
| 16 | abci23 | < 1 second | 217,230 |
| 17 | passwordl | < 1 second | 211,932 |
| 18 | iloveyou | < 1 second | 197,880 |
| 19 | 111111 | < 1 second | 195,237 |
| 20 | dragon | < 1 second | 144,670 |
(Note: 11 & 12 are the same probably an error).
Sequential number passwords remain very popular, with “123456” topping the list. Eleven out of the top twenty most used passwords consist of various numerical combinations. The top five most common passwords have over 6.8 million users. Of the top twenty most used passwords, all take under a second to crack.
Corporate
Here are the top 20 most popular corporate passwords of 2024:
| Rank | Password | Time to crack | Count |
| 1 | 123456 | < 1 second | 1,233,447 |
| 2 | 123456789 | < 1 second | 693,611 |
| 3 | 12345678 | < 1 second | 365,724 |
| 4 | secret | < 1 second | 339,202 |
| 5 | password | < 1 second | 196,477 |
| 6 | qwerty123 | < 1 second | 144,238 |
| 7 | qwertyl | < 1 second | 137,903 |
| 8 | 111111 | < 1 second | 106,328 |
| 9 | 123123 | < 1 second | 102,207 |
| 10 | 1234567890 | < 1 second | 92,998 |
| 11 | qwerty | < 1 second | 91,862 |
| 12 | 1234567 | < 1 second | 86,162 |
| 13 | 11111111 | < 1 second | 80,114 |
| 14 | abc123 | < 1 second | 57,907 |
| 15 | iloveyou | < 1 second | 53,803 |
| 16 | 123123123 | < 1 second | 51,101 |
| 17 | 000000 | < 1 second | 46,185 |
| 18 | 0000000 | < 1 second | 45,376 |
| 19 | a123456 | < 1 second | 42,194 |
| 20 | passwordl | < 1 second | 41,427 |
The most common corporate passwords are nearly identical to the most common personal passwords. I found this list interesting since I would expect most corporations to have rules against allowing passwords this weak.
An Interesting Finding
“123456” has been in the number 1 or number 2 spot every year throughout the lifetime of this study as the world’s worst password.
Jim’s 2020 Advice
What Jim said in 2020 is still true today. First, ALWAYS use strong passwords. Second, NEVER use duplicate passwords for accounts that contain sensitive information such as banking, credit cards, etc.
Best Practices
A password manager is an essential part of internet security. Password managers allow users to have strong and unique passwords for every site they visit on the internet. Two good cloud-based password managers are Bitwarden and 1Password. I currently have a subscription to 1Password but have used the premium Bitwarden in the past. Jim Hillier recommends Bitwarden’s free version if you do not need the premium features. If you prefer a password manager with local credential storage, the DCT recommended KeePass is an excellent choice – I used it for years before switching to cloud-based password managers.
It is also important to have a strong password to protect this password manager. See my Ultimate Guide To Create A Master Password – Part 1 and Part 2 on how to do this.
If you ignore our advice to use a password manager, at least create better passwords than those that are on this list. You will not be as secure as if you use a password manager, but you will be more secure than most. See Jim Hillier’s Creating Strong But Easily Remembered Passwords.
—
