Passwords are an essential part of our digital lives. We use them to protect our online accounts and sensitive information. However, many people use weak, easy-to-guess passwords that put their security at risk. Cybercriminals frequently attempt to break into accounts by guessing common passwords. So what are some of the most frequently used passwords that you should avoid?
Why do people use common passwords?
There are a few key reasons why internet users continue to rely on common passwords:
- They are easy to remember.
- People are lazy about updating passwords.
- Users underestimate the risks of using simple passwords.
- People reuse the same passwords across different sites.
Creating and remembering strong, unique passwords for every account takes effort. Some users prioritize convenience over security. But using an ordinary password makes it incredibly easy for hackers to gain access to accounts. According to a 2020 survey, about two-thirds of people admit to reusing passwords across multiple accounts. This practice dramatically amplifies the risks of using a basic password.
Where do lists of common passwords come from?
Technology companies and internet security firms routinely analyze databases of exposed passwords to identify patterns. When a major data breach occurs, hackers gain access to password databases and frequently release them online. Security researchers examine these large sets of real-world passwords that have been compromised.
By counting the most frequent passwords in these databases, researchers can catalogue the passwords that cybercriminals attempt first. Cybersecurity experts recommend avoiding the most common passwords, since they are essentially public knowledge in hacker circles.
Top 5 most common passwords
While the precise ranking shifts slightly over time, these 5 passwords consistently appear at the top of frequency lists:
- 123456
- 123456789
- qwerty
- password
- 12345
These predictable passwords revolve around simple patterns like consecutive numbers, keyboard lines, and basic dictionary words. They follow memorable patterns but are incredibly weak in terms of security.
#1: 123456
The most popular password by far is “123456” – simply the first 6 numbers in ascending order. This basic numeric pattern offers essentially zero protection despite being widespread. The numbers are easy to remember and quick to enter, but also incredibly obvious. This password often tops lists of compromised passwords by a wide margin.
#2: 123456789
“123456789” extends the simple numeric pattern by 3 additional numbers. Slightly longer than “123456” but still trivial for hackers to crack. Following the number sequence is human nature but also cybersecurity negligence. Just expanding a basic numeric password does little to improve its strength.
#3: qwerty
The next most common choice is “qwerty” – directly based on the first 6 letters in the top alphabetical row of keyboard keys. While this seems more complex than a simple sequence, the relation to keyboard patterns makes it another obvious target for hackers. “Qwerty” has remained popular for years as users continue gravitating to keyboard-based choices.
#4: password
Astoundingly, the single word “password” is the 4th most popular selection. The word itself indicates its function, which ironically makes it one of the worst possible choices. When opening a new account, the fastest option is often to use “password” as the new password. But this default undermines the entire purpose of having a password. It offers no protection and gives accounts away to hackers.
#5: 12345
Rounding out the top 5 is “12345” – a trivial variation on “123456” that swaps the last two digits. It follows the same dangerously predictable numeric pattern as the #1 choice but with a minor change. Easy to remember but equally easy for hackers to try early on when attempting to crack passwords.
Why are these passwords so common?
Looking at these top 5 passwords, some clear patterns emerge. Users choose these options for several key reasons:
- Sequences of numbers are familiar and easy to remember.
- Keyboard patterns feel natural to type and recall.
- “Password” relies on its literal meaning as a password.
- Short passwords require less time and effort to enter.
In other words, the most common passwords represent the path of least resistance. People gravitate toward fast, intuitive options without considering security. But these passwords are effectively public knowledge for hackers. Their simplicity makes them useless for protecting accounts.
Common password strategies
While the top 5 passwords are dangerously weak, they represent some understandable instincts:
Sequences
Passwords like “123456” and “12345” rely on an easy-to-remember sequence. But using any predictable sequence, even longer ones, is risky. Incrementing numbers and consecutive keyboard patterns should be avoided.
Personal info
“Qwerty” and “password” are directly based on the user’s personal keyboard and language. But any password relying on personal facts or patterns provides breadcrumbs for hackers to follow.
Short passwords
All of the top 5 passwords are short, with 6 characters or less. Longer passwords are stronger, but people often use short ones for speed and convenience.
While these instincts are human nature, they lead to catastrophic security when used carelessly as actual passwords. The goal should be passwords that are easy for you to remember but difficult for hackers to predict.
What makes a password strong?
Strong passwords are:
- Long – The longer the password, the more difficult it is crack.
- Random – Mix unpredictable upper and lower case letters, numbers, and symbols.
- Unique – Every account should have its own secure password.
- Secret – Never share passwords or reuse them across accounts.
Ideally passwords have 12+ random characters, with measures like multi-factor authentication for additional protection. But even simpler passwords can be made strong using personal strategies.
Tips for better passwords
Ditch common passwords by making your passwords more complex in these ways:
- Use passphrases – Combinations of words are easier to remember but harder to crack than single words.
- Add variations – Substitute letters with numbers/symbols (e@sy2Remember).
- Use first letters – String together the first letters of a sentence.
- Install a password manager – This generates and stores strong unique passwords.
Most common passwords by year
While the overall list remains fairly constant, the ranking order shifts over time. Here are the #1 passwords discovered each year from 2011-2020, showing the gradual evolution:
| Year | #1 Password |
|---|---|
| 2020 | 123456 |
| 2019 | 123456789 |
| 2018 | 123456 |
| 2017 | 123456 |
| 2016 | 123456 |
| 2015 | 123456 |
| 2014 | 123456 |
| 2013 | 123456 |
| 2012 | 123456 |
| 2011 | password |
“123456” has dominated in recent years, though “password” and “123456789” also topped the list. While the overall pool of passwords changes, the basic patterns persist.
Industry-specific passwords
The most common passwords also vary across different industries. Cybercriminals study password trends in major sectors like:
- Finance – Banks, investment firms, accounting
- Health – Hospitals, insurance, biotech
- Retail – Stores, restaurants, consumer services
- Technology – Software, electronics, IT
Workers at these companies often use related keywords as passwords. Companies should tailor password policies to deter industry-specific passwords. For example, healthcare workers frequently use “patient” or hospital terms. Retail employees might incorporate brand names.
Country differences
Password preferences also demonstrate cultural and language differences globally. For example:
- “123456” is popular in China.
- “password” remains common in English-speaking countries.
- Russian users often choose 1-2-3-4-5-6 (“????????????”).
- Soccer terms like “liverpool” appear in Europe.
- “iloveyou” and names are popular in South-east Asia.
Organizations should account for cultural password trends, like translated dictionary words, in each region. Local language patterns create risks.
Conclusion
Basic human nature leads people to make predictable password choices – repeated characters, keyboard lines, names, birthdays. When these are left unchecked, the result is a password landscape dominated by absurdly weak standards like “123456” or “password”. For individuals, avoiding the most common passwords is the first step toward better security. Organizations also need to implement intelligent password policies that promote complexity without overburdening users. And new authentication technologies like biometrics and hardware security keys help protect against password limitations. By understanding the origins of weak passwords, we can cultivate stronger password culture.