It's March 2022, there's war in Eastern Europe, the COVID-19 pandemic seems to be winding down — and the world's most commonly used passwords haven't changed in years. They're still the worst passwords you could possibly use.
These poorly-thought-out passwords include gems like "123456", "password" and "qwerty" (the first six letters on a standard English-language keyboard). Other winners are "111111", "123456789" and the mildly ingenious "1q2w3e" (a fun little finger dance on a keyboard — try it yourself).
This list isn't taken from a single source. All appear on a list of the 20 passwords most commonly found in dark-web lists compiled from data breaches, per Lookout via a recent CNBC article. They're also on NordPass's list of 2021's 200 most common passwords and its 2020 list as well. You can also find them on CyberNews's top 10 list of 2022.
Going back further, the same passwords appear on a massive password list compiled by security researcher Ata Hakçıl in mid-2020, a somewhat smaller list put together in 2019 by the U.K.'s National Cyber Security Centre and HaveIBeenPwned.com and Keeper Security's list of 2016's 25 most common passwords. Most are on SplashData's lists of the 25 most common passwords from 2011 through 2019.
The most recent lists of lousy passwords
Only the rankings among these seem to change. Here's the Top 10 list that Lookout sent us a month ago (we're waiting for information about how it was compiled), plus the 11-20 entries that Lookout gave CNBC:
- 123456
- 123456789
- qwerty
- password
- 12345
- 12345678
- 111111
- 1234567
- 123123
- qwerty123
- 1q2w3e
- 1234567890
- DEFAULT
- 000000
- abc123
- 654321
- 123321
- qwertyuiop
- Iloveyou
- 666666
Here's NordPass' 2021 Top 10:
- 123456
- 123456789
- 12345
- qwerty
- password
- 12345678
- 111111
- 123123
- 1234567890
- 1234567
And CyberNews' early-2022 entry:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Needless to say, this is sad. It shows that many people just can't be bothered to protect themselves online. If you're using any of these terrible passwords, or anything that even looks like them, stop doing so immediately.
How to use passwords correctly
It takes just a little effort to come up with good, strong passwords. For example, if you take four random words of five letters or more and string them together in every possible way, you'll end up with 24 strong, hard-to-guess but easy-to-remember passwords.
Let's review the three cardinal rules of passwords.
— Make every password long and strong. Each password should be at least 16 characters long. Ideally, they should include capital letters, digits and punctuation marks, but if they're 20 characters or more you can probably get away with all lower-case letters.
— Never reuse a password, because that makes the damage from data breaches much worse. If one account of yours is compromised in a data breach, then every account with which you use the same password and username should also be considered compromised.
— Don't use personal information in your passwords. You may love your pet, but don't use its name in your password. Don't use your own name, your hometown, your birth year, or the names of any of your loved ones. "FluffyMcKenzie69" may be long and contain upper-case letters and digits, but it's still not a great password.
We strongly recommend doing two other things which are slightly inconvenient but will make your online accounts much safer.
— Set up two-factor authentication on every online account that allows it. This requires you to enter a one-time code or plug in a USB security key when you're logging in from a new device, but it also means that crooks who steal your passwords won't be able to log in.
— Use a password manager. These programs and online services remember your passwords for you, and also help you generate new ones. All you need to remember is the password for the password manager. Most of the best password managers have both free and paid service tiers, and a few are entirely free.
