NordPass published its 2023 edition of the top 200 most common passwords this week, revealing that a significant number of them can be cracked in under a second using brute-force tools.
The most common password, “123456,” was recorded more than 4.5 million times, according to NordPass, which noted that it takes less than one second to crack. The second-worst was “admin,” which took the same time to crack and was recorded more than 4 million times.
Common number-based passwords like “1234,” “12345678,” “123456789,” “12345,” and “123” were also common and can be cracked in under one second. The password, “password,” ranked as No. 7—with more than 718,000 entries, and could be cracked in a similar amount of time, according to the company.
A variation, “P@ssw0rd,” was also commonly reported and took less than a second to bypass. Passwords “Password,” “qwerty,” “abc123,” “qwertyuiop,” “user,” “admin123,” “administration,” “admin1234,” “minecraft,” “asdasd,” “welcome,” “motorola,” “querty123,” and similar variations were also found on the list and can be considered easy to crack.
The top 20 most-used passwords on the list include “123456,” “admin,” “12345678,” “123456789,” “1234,” “12345,” “password,” “123,” “Aa123456,” “1234567890,” “UNKNOWN,” “1234567,” “123123,” “111111,” “Password,” “12345678910,” “000000,” “admin123,” “********,” and “user.” It’s not clear if “UNKNOWN” is an actual password that people use frequently or if it’s an error made when compiling the list.
The company said that in China, 11 of the top 20 passwords were just numbers. “Internet users in China often use numbers in their passwords. While ’123456′ is the most used password in the country, other numerical sequences, such as ‘111111,’ ‘000000,’ and ‘12345678’ are also widely popular,” NordPass said.
“Your password should be at least 20 characters long and include a mix of uppercase and lowercase letters, numbers, and special symbols,” the company advised on its website. “Avoid using easily guessable information like birthdays, names, or common words.”
It also advised users to “never use the same password across multiple sites or services” because “if one account gets compromised, all your accounts could be at risk.” Users should also change their passwords on a regular basis, the company added, although it noted that technology is becoming more advanced to make passwords more difficult to crack.
Tomas Smalakys, the chief technology officer of NordPass, stated that “with the terrifying risks password users encounter, alternative methods in online authentication are now essential.”
“Passkey technology, considered the most promising innovation to replace passwords, is successfully paving its way, gaining trust among individuals and progressive companies worldwide,” he added. “Being among the first password managers to offer this technology, we see people are curious to test new things, as long as this helps eliminate the hassle of passwords.”
“The average internet user has 240 online accounts that require a password. With the number of online accounts per person growing each year, it’s essential to include password security as part of your cybersecurity plan to protect yourself and your business from cybersecurity incidents and bad actors,” it said.
Earlier this year, Google announced it would roll out an update for its users that it describes as “the beginning of the end of the password,” opting to use passkeys instead. The tech giant suggested passwords may eventually be phased out for its products, including popular ones like Gmail and YouTube.
“Of course, like any new beginning, the change to passkeys will take time. That’s why passwords and 2SV will still work for Google Accounts. We look forward to helping people, and others in the industry, take this next leap to make signing in easier and safer with Google,” the company wrote in a post.
