What are the world’s worst passwords?

World Password Day highlights why passwords still play a vital role in securing our digital environments, even if they do need augmenting with newer, stronger authentication methods.


“Why do I need a password to buy groceries” is a complaint many of us must have muttered whilst filling out yet another tedious ‘Forgotten Password’ form when trying to shop online. Amidst the struggle to remember how to spell your mother’s maiden name or recall who your favourite schoolteacher was, you’d likely be forgiven for thinking that passwords are a waste of time. Yet, once you are safely logged back into your account and the red mist has cleared, you slowly remember that if any random person could access your account without verifying who they are, they could learn a whole lot more about you than your questionable fondness for Rice Krispies.

As the website pulls up your saved delivery address and card payment details, it becomes clear that without a password to protect this information you’d be giving others unnecessary insight into your life, and for malicious cybercriminals, this information could be used to devastating effect.

However, just because you have a password in place to protect your shopping orders, it doesn’t mean it’s a good one. Often, the easiest passwords to remember are the most dangerous to use from a security perspective. Nordpass recently identified 200 of the most common passwords in circulation, and they include all of the classics you’d expect, from 123456 and qwerty, to iloveyou and football.

Below, we’ll look at some of the worst offenders on the list and then hear from security experts about safe password practices, and why multi-factor authentication and password managers may just be the best future for password security.

What passwords should you avoid?

Nordpass’ research highlights that 49 of the 50 most common passwords take less than a second for cybercriminals to crack. The only outlier amongst these is “aa12345678” which takes a whopping two seconds for codebreakers to guess. It doesn’t get much better from there. When looking at the full list, only a handful would take codebreaking software more than an hour, and the longest time quoted by Nordpass for any of the top 200 choices would be three hours. Admittedly, myspace1 might only take so long to crack because codebreakers forgot MySpace was ever a thing, much like the rest of the population.

Unsurprisingly, simple combinations of the numbers 1-9 are the most frequent offenders on Nordpass’ list. Eight of the top ten passwords start with the number 1, seven of which are followed by the number 2. It doesn’t take much imagination to predict what number comes next (for those of you struggling, it involves the numbers 3,4,5…). The rogue option which doesn’t make use of the number 2 is arguably indicative of even more laziness. 111111 is as basic as it gets and rightly claims 7th place. Alongside qwerty and password these ten options are roughly as reliable as a clock without batteries.

In European folklore and modern fantasy literature, dragons are often portrayed as gatekeepers guarding hordes of treasure. However, what many people forget, is that the dragons in these stories tend to lose all of their valuables. In a direct parallel to classic dragons such as The Hobbit’s Smaug, using dragon as a password comes with a high probability that your valuable information could be stolen. Ranking 38th on Norpass’ list, dragon is yet another password that would take less than a second for codebreakers to crack.

When it comes to pop culture themed passwords, using Superman is essentially kryptonite for your online security. Likewise, Pokemon is ‘not very effective’ as a password, and unfortunately the force isn’t strong for fans of Star Wars. Each of these passwords take just a second for cybercriminals to guess, and rank 81st, 111th, and 166th respectively.

The rest of Nordpass’ list contains a selection of popular boys’ and girls’ names alongside sports terms, and variations of iloveyou and the rather more entertaining f***you.

How to improve your password security

While it is humourous to poke fun at some of the worst passwords that people use, password usage has become a serious issue for many organisations. Today, even complicated passwords are becoming easier for cybercriminals to compromise and cyberattacks from compromised accounts are becoming ever more costly. To combat this, businesses need to make their employees aware of some best practices that can help improve their password habits.

Use a mix of numbers, symbols and letters

Rick Jones, CEO of DigitalXRAID believes that passwords “will continue to be a mainstay of our digital lives for a while yet, as the technology predicted to replace them – such as tokenisation or biometrics – remains in development”. During this period of growth, he argues that security leaders should encourage employees to utilise ‘strong, complex passwords with a mix of numbers, symbols and letters, and request that employees change them every 90 days’. Nordpass’ list reflects well on this advice. Across its list only three passwords have over eleven characters, and all three are only simple combinations of numbers and letters. None of the worst 200 passwords even make use of a single special character.

Passwords should be a minimum of 14 characters

Lorenzo Grillo, Managing Director of Cyber Risk Services at Alvarez & Marsal LLP, agrees with Jones, and believes all passwords should be a minimum of 14 characters. His company also ‘strongly encourage[s] people to use passphrases where possible… They should then be tweaked to include numbers/special characters too’. Longer passphrases are easier for users to remember, whilst still meeting the high levels of complexity that can scupper the efforts of cybercriminals. At higher lengths, even a single additional character can add a lot more complexity to a password.

Consider using a password manager

Outside better password practices, password managers are another potential solution to the threat of poor passwords. Tom Gaffney, Principal Consultant at F-Secure discusses how “using a password manager can really help you to maintain healthy password habits as they take the hassle out of remembering many different, unique passwords”. Password managers are secure vaults which contain user passwords and keep them all in one safe location. They allow their users to generate unique, complex passwords whenever they are needed and can greatly reduce the frequency of any of us need to hit the forgotten password button. Jamie Akhtar, CEO and Co-Founder of CyberSmart highlights how “a good password manager will also tell you how weak your existing passwords are, whether you’ve used them before and whether they’ve shown up in a data breach’. These features all combine to make password managers a must have for anyone serious about improving their password security.

Multifactor authentication and zero trust methods

Yet, even with strong password practices and password managers, Jones and Grillo agree that passwords alone are not the future of security. Most organisations and users would be better off implementing these options alongside modern multifactor authentication and zero trust methods. Jones highlights how MFA and the limitation of user permissions can ‘be used in conjunction with strong passwords to provide additional assurance and ensure users are only provided with a reasonable level of system privileges’. By requiring users to authenticate themselves repeatedly, cybercriminals would need much more information about a user to compromise their account, and in many MFA cases, they would also need access to a user’s personal device. And, in the case that an account was compromised, only allowing each user access to the exact information they require could severely limit the impact of any potential password breach. Grillo also points to the rapid evolution of MFA, explaining how it has become much more accessible to businesses and individuals in the last few years. Today, it is steadily becoming a key component of many enterprise security strategies and should be considered whenever possible.

Passwords have been around for centuries, and while their effectiveness has dropped in recent years due to the ingenuity of cybercriminals, it’s unlikely that we’ll see them fade from existence just yet. By avoiding weak passwords and implementing strong password practices alongside modern security methods, it’s quite possible that passwords could remain a valuable part of cybersecurity programs for the foreseeable future.