If you were thinking that most people would have learned by now not to use “password” as the password for their sensitive systems, then you would be giving too much credit to the general scrolling public.
Cybersecurity researchers from Cybernews and password manager company NordPass both independently reported this week on data surrounding the most commonly-used passwords. Trying to discern the frequently used words, phrases, and numbers among the general public wouldn’t be simple if it weren’t for the troves of leaked passwords being sold on the dark web.
In a release sent to Gizmodo, Cybernews said it based its data on a list of 56 million breached or leaked passwords in 2022 found via databases darknet and clearnet hacker forums. Some of the most-used passwords were exactly what you expect, easy-to-remember junk passwords for company accounts, including “123456,” “root,” and “guest” all looking pretty in the top three.
NordPass, on the other hand, listed its top passwords by country and the supposed gender of the user. In their case, “password” sat in the number one spot for most-used password throughout the globe. Some countries had very specific passwords that were commonly used, such as “liverpool” being the number 4 most-used password in the UK despite it being 197 in the world. The number 2 most-used password for Brazil accounts is “Brasil” while in Germany, number 5 is “hallo.”
In an email to Gizmodo, NordPass said the list of passwords was built by a team of independent researchers who compiled 3TB of data from listings on the dark web, including some data that was leaked in data breaches that occurred in 2022. The company noted that some data might be from late 2021, though the passwords were listed on the dark web in the new year.
Other than that, passwords were ranked simply by how often they were used in these listings. NordPass noted that many passwords were just a single word, which is one of the easiest kinds of passwords to crack, and for somebody with a knowledge of common passwords, it might not even require brute force or other cracking tricks. Company names were even listed in some passwords, which may point to laypeople taking the name of their device, or companies themselves using lax password security practices. Cybernews’ research also noted nearly 25% of the passwords they found only used eight characters. Somewhere around 16% used just four.
Any new password a user creates should be much longer than one word—at least 12 characters—should use upper and lowercase letters, numbers, and symbols, and should avoid any of the common words or simple phrases. Cybernews noted that only a little more than half of the passwords the team scrutinized were simple unique words often associated with major brands or teams. Though most passwords are “hashed,” as in they’re scrambled by algorithms to make it unclear to anybody breaching a system what the password is, the issue is that bad actors can understand how a commonly-used password is hashed, making it that much easier to break.
Click through the slides to see a list of some of the most-used passwords included from both reports, including some truly inane and bizarre passwords used by thousands.