Please Do Not Use Any of These Passwords
Look, I get it. Nobody likes managing their passwords. It’s much easier to use the same simple password for every account, so when you log in you enter a familiar phrase from muscle memory and you’re logged in.
Now the lecture: this is terrible from a security point of view. Your password is too easy to guess, which means it’s too easy for hackers to break into your accounts. And if you use the same, easy-to-guess password for everything, you’re in for a bad time.
The most common passwords are almost all terrible
Don’t take my word for it: For the sixth year in a row, NordPass (in partnership with NordStellar) has published a list of the most common passwords people use online . This list covers the 200 most common passwords used in 44 countries around the world, based on 2.5 TB of data, including information obtained from the dark web . NordPass discovered some of this data from passwords that were leaked to hackers or stolen via malware. Because most were tied to email addresses, NordPass was able to separate passwords between business and personal accounts, although this year it found that there was little difference between the passwords people use at work and the ones they use at home.
Looking at the most common passwords from all 44 countries studied here, many of them won’t be surprising. For example, the most commonly used password, used more than three million times, is “123456.” The second most commonly used, used more than 1.6 million times, is “123456789.”) The fourth number is “password,” and three variations of “qwerty” are in the top 20.
Some personal favorites on this list: “dragon” (#20), “monkey” (#21), “aaaaaaa” (#54), “fuckyou” (#60), “computer” #63, “trustno1”. (#135), “let mein” (#144) and “cheese” (#200). If you use any of these, thanks for the fun password. Now change it immediately.
Bad passwords can be cracked in minutes (or less).
Many of them are clearly bad passwords. Using something like “password”, “123456” or “qwerty” is easy for both humans and computers to guess. However, most of these passwords are weak, and not just because they are widely used. Many of them are simply weak passwords, structured in such a way that the computer can be quickly hacked. In fact, most of them can be hacked in less than one second. Scrolling through the list, this becomes obvious. It may take a long time for a person to figure out someone’s password – 123456c, but a computer can crack it almost instantly.
To be fair, some of them take more minutes or hours to crack, and some take quite a long time to crack: hacking “111222tianya”, number 75, will take a whole day, and hacking “g_czechout”, number 157, will take 12. days. But the vast majority of these passwords are almost as bad as having no password at all.
What makes a password strong and unique?
When it comes to creating good passwords , don’t choose something that doesn’t mean anything to you. You don’t really want something that means anything to anyone: the more obscure and/or random the password is, the harder it will be for a computer to crack, and probably impossible for a person to guess.
But that doesn’t mean you have to start scratching at your keyboard every time you create a new password. One effective way to create strong and unique passwords is to string together several completely random words. Use this outdated but still accurate take on the topic from the xkcd comic as a model: Cartoonist Randall Munroe demonstrates that a password like “Tr0ub4dor&3” appears strong at first glance (a person would never guess it), but a computer can hack it pretty easy. Plus, it’s hard to remember. Stringing four random words together is much harder for both computers and humans to understand, and you might have an easier time remembering the (now infamous) one. “correcthorsebatterystaple”. Replace some letters with symbols, add a couple of underscores, and you’ll have a strong password.
Just get a password manager already
You can read more about creating memorable, strong, and unique passwords in our guide here . Honestly, you only really need to remember one strong and unique password because the rest should be locked in a password manager . This removes the temptation to make any of these passwords memorable: the manager remembers them so you don’t have to. They’ll even come up with passwords for you!
If you need help finding one, our sister site PCMag has a list of the best password managers they tried in 2024 . Of course, you can always use the free password manager that comes with your platform of choice. Apple’s new Passwords app is good for managing your passwords on iPhone, iPad, and Mac, although it will be more limited than a dedicated third-party password manager.
Even good passwords don’t keep your account secure
In any case, too much attention is paid to passwords. You should also link them to two-factor authentication on any account that supports it, preferably through an authentication app rather than a simple text message . If you have 2FA set up, a compromised password won’t be enough for hackers to hack your account; they’ll also need access to the code on your trusted device.
If companies like Apple and Google have their way, passwords could replace the entire system . Access Keys combine passwords and 2FA into one secure system. You don’t create a password; rather, your secondary device is a password that stores a secure passkey that only you can access. As long as you can authenticate yourself, you are in the system. This is a great concept that can both make authentication easier and more secure. But given that many of us still use “passwords” for everything, it will take us a long time to achieve this.