Facepalm: It probably comes as no surprise that people, in general, are lax when it comes to computer security, especially regarding passwords. Pin it on whatever you want: laziness, difficulty remembering complex strings, or just not caring. Whatever it may be, the most commonly used passwords are also the worst from a security standpoint year after year.
NordPass just published its 2023 edition of the top 200 most common passwords. Unsurprisingly, very few of the entries are secure. The top 10 can all be cracked in under a second using simple brute-force tools.
The vast majority of the rest are no better. Only a handful would give a hacker a problem for more than a second, and only one – “theworldinyourhand” – is virtually uncrackable. It is the number 173 most common password and would take centuries to guess using brute force.
In 2023, as in past years, consecutive strings of numbers seem to be the people’s choice. Selections like “123” (8th), “1234” (5th), “12345” (6th), “123456” (1st), “12345678” (3rd), “123456789” (4th), and “1234567890” (10th) dominate the top 10.
Of course, to satisfy your work’s IT admin and fulfill his dumb rules of having a password of at least eight characters containing a minimum of one capital letter, one lowercase letter, and one numeral, you can always use “Aa123456” (9th). That leaves only two passwords in the top 10 that are arguably less lazy than the rest.
The word “password” comes in at number seven, and since credentials are case-sensitive, “Password” with a capital “P” just missed the top 10, ranking 15th. The lowercase version has appeared in the top 10 since 2020 and won first place last year. Apparently, people creating new accounts seem to assume the word in the box in light gray font is a suggestion rather than a label.
The second most common password this year is “admin.” NordPass found 4,008,850 instances, surpassed only by the numerals one through six used by over 4.5 million users in the sample. Of course, “admin,” as we all know, is the default on many devices, so one could make the case that it is the laziest password of all.
The 2023 list has a few somewhat unexpected examples. Just missing the top 10 at number 11 is “UNKNOWN.” While still not very secure, at least it takes about 11 minutes to brute force, which is 11 minutes more than most of the list.
Oddly, adding “123” to the end of “admin” makes it just as secure as “UNKNOWN.” Furthermore, putting the “at” symbol (@) between the word and the numbers bumps the hack time up to one hour.
“Eliska81” takes about 3 hours to crack, but one has to ask, how did that become a common password ranked 40th on the list? No fewer than 75,755 people are using “Eliska81” as a password. How does that happen?
Finally, the second most challenging password to crack appears at number 54. While “admintelecom” is nowhere close to the centuries it would take to guess “theworldinyourhand,” brute forcing it would still take about 23 days.
There are no valid excuses for poor password choice when so many easy-to-use credential managers are available. A prevalent example is 1Password, which securely stores and automatically enters your login information using only one master password.
Apple customers have even fewer excuses. For Mac, iPhone, and iPad users, the native Keychain app is well integrated, uses your device password or Face ID for access, and syncs your credentials across all platforms with virtually no setup process.
Despite the ease of keeping and storing passwords these days, you can bet your house that next year we’ll see a nearly identical list. If you’d like to view this year’s and past compilations, visit the NordPass website.
Image credits: Lewis Ogden, Marco Verch