Contact us: +45 32 67 26 26

The Most Common Passwords

Gry Myrtveit Gundersen
By: Gry Myrtveit Gundersen Cyber Security | 15 September

Nordpass annually publish a list of the 200 most common passwords in the world, based on research from 50 countries. In this blogpost we present this year’s results according to 2021 research and explain how hackers exploit the fact that many people make use of common passwords and/or reuse their own passwords across websites. Maybe these passwords are being used by someone in your organisation? 

Table of contents

The most common passwords in the world

We won’t list all the 200 passwords here and call it a day, instead we will present the 10 most common passwords and give you a detailed overview of the general tendencies of the remaining list. If you are interested in reading the complete list, you can visit NordPass – where you can also compare passwords between countries and genders. 

Without further ado, here are the 10 most common passwords of 2021.

The 10 most common passwords globally 

The 10 most common (and worst) passwords were counted 280 million times combined during NordPass’ research: 

  1. 123456 

  2. 123456789 

  3. 12345 

  4. qwerty 

  5. password 

  6. 12345678 

  7. 111111 

  8. 123123 

  9. 1234567890 

  10. 1234567

These 10 passwords give us a taste of what the rest of the list has to offer as well. In fact, two thirds of the 200 most common passwords are different combinations of numbers and letters which lie next to each other on the keyboard. However, you don’t have to scroll too far down the list before you find some passwords which might surprise you.

Smart CTA_phishingcase EN

General tendencies among the 200 most common passwords 

When analysing the list, we found some patterns and recurring themes. There is however one password, which did not relate to any of these themes, but is still worth mentioning: “monkey”. This password can be spotted on most of the lists of common passwords over the last years, and it ranks surprisingly high on most of them.  

Except for this honourable mention, we found that most of the remaining passwords could be placed into one of the following four groups: 

Positively loaded words and phrases 

Even though there are a few swear words on the list, they are by far outnumbered by positively loaded words and phrases. Some of the most popular ones are:  

  • iloveyou (22) 

  • princess (61) 

  • sunshine (65) 

  • love (117) 

  • iloveyou1 (122) 

  • freedom (156) 

  • chocolate (161) 

Fun fact! When we compared men and women’s passwords, we found that the list of women’s passwords contained five times more of these words than the list of men’s passwords.

Sports related words 

Another tendency on the list is words related to sports: 

  • football (60) 

  • baseball (91) 

  • soccer (95) 

  • jordan (110) 

  • liverpool (121) 

  • football1 (153) 

We are once again confirming gender stereotypes: Men have 14 such passwords on their list – women only 4.

First names 

…the most common being:  

  • michael (66) 

  • daniel (69) 

  • ashley (88) 

  • charlie (96) 

  • jessica (99)

Words related to fictional universes 

One last tendency on the list is words related to fictional gaming, cartoon or movie universes: 

  • dragon (38) 

  • superman (81) 

  • pokemon (111) 

  • naruto (135) 

  • starwars (166)

 

How hackers exploit weak passwords  

The use of common and weak passwords can pose a significant security threat for both private individuals and organisations. According to Verizon’s 2017 Data Breach Investigation Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Two common hacking techniques which exploit the fact that many people use weak passwords are password spraying and credential stuffing.

Password spraying

One of the methods hackers use to get unauthorized access to accounts and systems is password spraying. The reason why this type of attack is successful is because many people use common passwords. To execute a password spraying attack, the hackers need a list of usernames (e.g., email addresses) and a list of common passwords (e.g., the passwords mentioned earlier in this blogpost). After this they try one password (e.g., qwerty) against all the usernames on the list, before moving on to the next password. If the hackers tried many passwords against one account before moving on to the next account, they would risk being caught and denied access to the account due to too many failed login attempts. The hackers therefore avoid being caught by focusing on one password at a time over a longer period.

Credential stuffing 

Another common hacking technique is credential stuffing. According to LastPass’ Psychology of Passwords report from 2021, 65% of people always or mostly use the same password or a variation. This is exploited by hackers in a credential stuffing attack. Before such an attack, the hackers have gained access to a set of credentials through e.g., a data breach or a phishing attack. These credentials are then used to gain access to the victim’s accounts. 

Example of a credential stuffing attack: 

Let’s imagine that one of your co-workers fell victim to a phishing attack, and that the cybercriminals behind the attack now have access to your co-worker’s login information (username + password) for their private email account. Not only will the cybercriminals now have access to this account – they can also perform a credential stuffing attack by trying this username and password combination on other websites and systems as well. If your co-worker reuses his/her passwords across these websites, the cybercriminals might gain access to several of your co-worker’s accounts. This can in turn lead to identity theft and major financial loss. And, if your co-worker uses the same passwords for their private accounts as for their work accounts, the consequences could be significant for the company as well.

CTA_e-book_blog-desktop

How to improve your password security  

Every day we log in to a number of websites and services which require a password. Over the years our passwords might become too many to remember. It is therefore easy to fall for the temptation of using simple passwords and reusing passwords across accounts. In fact, LastPass’ 2021 report shows that 68% of people who reuse passwords do so because they are afraid of forgetting them. But, as we have seen, such behaviour can be a great vulnerability for you and your company. Luckily, there are several tools and tips which can help you improve your password security! 

On our blog, you can read about: 

If you are interested in increasing the password security in your organisation, you can check out our course about password security here. 

Awareness training can also be a great way to increase password security, as it helps the employees become more aware of their behaviour and creates a good cyber security culture in the organisation.