For the last five years, NordPass has been releasing the 200 most popular password list. They have just released their latest issue. In 2020, Jim Hillier reported on the NordPass list. Not much has changed since then.
Methodology
NordPass compiled the list in partnership with independent researchers specializing in researching cybersecurity incidents. They evaluated 6.6 Terabytes worth of data extracted from various publicly available sources, including those on the dark web from 35 countries. These passwords were stolen by various stealer malware, such as Redline, Vidar, Taurus, Raccoon, Azorult, and Cryptbot. They further classified the data into eight verticals: e-commerce, Social Media, Financial, Email, Gaming, Productivity Tools, Smartphone, and Streaming.
Here are the top 20 most popular passwords of 2023:
| RANK | PASSWORD | TIME TO CRACK IT | COUNT |
| 1 | 123456 | < 1 Second | 4,524,867 |
| 2 | admin | < 1 Second | 4,008,850 |
| 3 | 12345678 | < 1 Second | 1,371,152 |
| 4 | 123456789 | < 1 Second | 1,213,047 |
| 5 | 1234 | < 1 Second | 969,811 |
| 6 | 12345 | < 1 Second | 728,414 |
| 7 | password | < 1 Second | 710,321 |
| 8 | 123 | < 1 Second | 528,086 |
| 9 | Aa123456 | < 1 Second | 319,725 |
| 10 | 1234567890 | < 1 Second | 302,709 |
| 11 | UNKNOWN | 17 Minutes | 240,377 |
| 12 | 1234567 | < 1 Second | 234,187 |
| 13 | 123123 | < 1 Second | 224,261 |
| 14 | 111111 | < 1 Second | 191,392 |
| 15 | Password | < 1 Second | 177,725 |
| 16 | 12345678910 | < 1 Second | 172,502 |
| 17 | 000000 | < 1 Second | 168,653 |
| 18 | admin123 | 11 Seconds | 159,354 |
| 19 | ******** | < 1 Second | 152,497 |
| 20 | user | 1 Second | 146,233 |
Sequential number passwords remain very popular with “123456” topping the list. Twelve out of the top twenty most used passwords consist of various numerical combinations. The top five most common passwords have over 12. million users. Of the top twenty most used passwords, all but two (“UNKNOWN” and “admin123”) take under a second to crack.
Some Interesting Findings
Streamers do not like strong passwords. Compared to the seven other categories (which already have poor passwords), streamers choose the poorest passwords of all.
“123456” has been in the number 1 or number 2 spot every year throughout the lifetime of this study as the world’s worst password.
In fact, the list of worst passwords has not changed much over the past five years, as you can see in this image:
Jim’s 2020 Advice
What Jim said in 2020 is still true today. First, ALWAYS use strong passwords. Second, NEVER use duplicate passwords for accounts that contain sensitive information such as banking, credit cards, etc.
Best Practices
A password manager is an essential part of internet security. Password managers allow users to have strong and unique passwords for every site they visit on the internet. Two good cloud-based password managers are Bitwarden and 1Password. I currently have a premium subscription to both (overkill but I’ve been testing 1Password recently). Jim Hillier recommends Bitwarden’s free version if you do not need the premium features. If you prefer a password manager with local credential storage, the DCT recommended KeePass is an excellent choice – I used it for years before switching to Bitwarden.
It is also important to have a strong password to protect this password manager. See my Ultimate Guide To Create A Master Password – Part 1 and Part 2 on how to do this.
If you ignore our advice to use a password manager, at least create better passwords than those that are on this list. You will not be as secure as if you use a password manager, but you will be more secure than most. See Jim Hillier’s Creating Strong But Easily Remembered Passwords.
—
