List
NordPass
NordPass a password manager, has released its sixth annual list of the 200 most common passwords, highlighting persistent trends in password selection. [2] The top twenty most frequently used passwords are:
| Rank | Password |
|---|---|
| 1 | 123456 |
| 2 | 123456789 |
| 3 | 12345678 |
| 4 | password |
| 5 | qwerty123 |
| 6 | qwerty1 |
| 7 | 111111 |
| 8 | 12345 |
| 9 | secret |
| 10 | 123123 |
| 11 | abc123 |
| 12 | password1 |
| 13 | letmein |
| 14 | 1q2w3e4r |
| 15 | monkey |
| 16 | qwerty |
| 17 | 123qwe |
| 18 | 1234 |
| 19 | iloveyou |
| 20 | 123321 |
SplashData
The Worst Passwords List is an annual list of the 25 most common passwords from each year as produced by internet security firm SplashData. [3] Since 2011, the firm has published the list based on data examined from millions of passwords leaked in data breaches, mostly in North America and Western Europe, over each year. In the 2016 edition, the 25 most common passwords made up more than 10% of the surveyed passwords, with the most common password of 2016, "123456", making up 4%. [4]
 | This article needs to be updated. The reason given is: What about years 2020-2024?.(September 2024) |
| Rank | 2011 [5] | 2012 [6] | 2013 [7] | 2014 [8] | 2015 [9] | 2016 [4] | 2017 [10] | 2018 [11] | 2019 [12] |
|---|---|---|---|---|---|---|---|---|---|
| 1 | password | password | 123456 | 123456 | 123456 | 123456 | 123456 | 123456 | 123456 |
| 2 | 123456 | 123456 | password | password | password | password | password | password | 123456789 |
| 3 | 12345678 | 12345678 | 12345678 | 12345 | 12345678 | 12345 | 12345678 | 123456789 | qwerty |
| 4 | qwerty | abc123 | qwerty | 12345678 | qwerty | 12345678 | qwerty | 12345678 | password |
| 5 | abc123 | qwerty | abc123 | qwerty | 12345 | football | 12345 | 12345 | 1234567 |
| 6 | monkey | monkey | 123456789 | 123456789 | 123456789 | qwerty | 123456789 | 111111 | 12345678 |
| 7 | 1234567 | letmein | 111111 | 1234 | football | 1234567890 | letmein | 1234567 | 12345 |
| 8 | letmein | dragon | 1234567 | baseball | 1234 | 1234567 | 1234567 | sunshine | iloveyou |
| 9 | trustno1 | 111111 | iloveyou | dragon | 1234567 | princess | football | qwerty | 111111 |
| 10 | dragon | baseball | adobe123 [a] | football | baseball | 1234 | iloveyou | iloveyou | 123123 |
| 11 | baseball | iloveyou | 123123 | 1234567 | welcome | login | admin | princess | abc123 |
| 12 | 111111 | trustno1 | admin | monkey | 1234567890 | welcome | welcome | admin | qwerty123 |
| 13 | iloveyou | 1234567 | 1234567890 | letmein | abc123 | solo | monkey | welcome | 1q2w3e4r |
| 14 | master | sunshine | letmein | abc123 | 111111 | abc123 | login | 666666 | admin |
| 15 | sunshine | master | photoshop [a] | 111111 | 1qaz2wsx | admin | abc123 | abc123 | qwertyuiop |
| 16 | ashley | 123123 | 1234 | mustang | dragon | 121212 | starwars | football | 654321 |
| 17 | bailey | welcome | monkey | access | master | flower | 123123 | 123123 | 555555 |
| 18 | passw0rd | shadow | shadow | shadow | monkey | passw0rd | dragon | monkey | lovely |
| 19 | shadow | ashley | sunshine | master | letmein | dragon | passw0rd | 654321 | 7777777 |
| 20 | 123123 | football | 12345 | michael | login | sunshine | master | !@#$%^&* | welcome |
| 21 | 654321 | jesus | password1 | superman | princess | master | hello | charlie | 888888 |
| 22 | superman | michael | princess | 696969 | qwertyuiop | hottie | freedom | aa123456 | princess |
| 23 | qazwsx | ninja | azerty | 123123 | solo | loveme | whatever | donald | dragon |
| 24 | michael | mustang | trustno1 | batman | passw0rd | zaq1zaq1 | qazwsx | password1 | password1 |
| 25 | Football | password1 | 000000 | trustno1 | starwars | password1 | trustno1 | qwerty123 | 123qwe |
Keeper
Password manager Keeper compiled its own list of the 25 most common passwords in 2016, from 25 million passwords leaked in data breaches that year. [14]
| Rank | 2016 [14] |
|---|---|
| 1 | 123456 |
| 2 | 123456789 |
| 3 | qwerty |
| 4 | 12345678 |
| 5 | 111111 |
| 6 | 1234567890 |
| 7 | 1234567 |
| 8 | password |
| 9 | 123123 |
| 10 | 987654321 |
| 11 | qwertyuiop |
| 12 | mynoob |
| 13 | 123321 |
| 14 | 666666 |
| 15 | 18atcskd2w |
| 16 | 7777777 |
| 17 | 1q2w3e4r |
| 18 | 654321 |
| 19 | 555555 |
| 20 | 3rjs1la7qe |
| 21 | |
| 22 | 1q2w3e4r5t |
| 23 | 123qwe |
| 24 | zxcvbnm |
| 25 | 1q2w3e |
National Cyber Security Centre
The National Cyber Security Centre (NCSC) compiled its own list of the 20 most common passwords in 2019, from 100 million passwords leaked in data breaches that year. [15]
| Rank | 2019 [15] |
|---|---|
| 1 | 123456 |
| 2 | 123456789 |
| 3 | qwerty |
| 4 | password |
| 5 | 1111111 |
| 6 | 12345678 |
| 7 | abc123 |
| 8 | 1234567 |
| 9 | password1 |
| 10 | 12345 |
| 11 | 1234567890 |
| 12 | 123123 |
| 13 | 000000 |
| 14 | Iloveyou |
| 15 | 1234 |
| 16 | 1q2w3e4r5t |
| 17 | Qwertyuiop |
| 18 | 123 |
| 19 | Monkey |
| 20 | Dragon |
See also
Notes
Related Research Articles
Microsoft Word is a word processing program developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including: IBM PCs running DOS (1983), Apple Macintosh running the Classic Mac OS (1985), AT&T UNIX PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989), SCO Unix (1990), Handheld PC (1996), Pocket PC (2000), macOS (2001), Web browsers (2010), iOS (2014), and Android (2015).
A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities often obtained from lists of past security breaches.
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.
A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.
In cryptanalysis and computer security, password cracking is the process of guessing passwords protecting a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.
passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.
An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.
Autocomplete, or word completion, is a feature in which an application predicts the rest of a word a user is typing. In Android and iOS smartphones, this is called predictive text. In graphical user interfaces, users can typically press the tab key to accept a suggestion or the down arrow key to accept one of several.
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.
Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.
A rainbow table is a precomputed table for caching the outputs of a cryptographic hash function, usually for cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. If such a database of hashed passwords falls into the hands of attackers, they can use a precomputed rainbow table to recover the plaintext passwords. A common defense against this attack is to compute the hashes using a key derivation function that adds a "salt" to each password before hashing it, with different passwords receiving different salts, which are stored in plain text along with the hash.
A security hacker or security researcher is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username . Some software products provide services to other systems and have no direct end users.
In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.
In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module. Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.
Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.
References
- ↑ Titcomb, James (March 23, 2016). "Do you have one of the most common passwords? They're ridiculously easy to guess". The Telegraph. Retrieved May 1, 2017.
- ↑ "Top 200 Most Common Passwords". NordPass. Archived from the original on January 30, 2025. Retrieved February 5, 2025.
- ↑ Mastroianni, Brian (January 20, 2016). "These were the 25 worst passwords of 2015". CBS News.
- 1 2 Bruner, Raisa (January 23, 2017). "The 25 Worst Passwords You Should Never Use". TIME.
- ↑ Ho, Erica (November 22, 2011). "The 25 Most Popular (and Worst) Passwords of 2011". TIME.
- ↑ Waxman, Olivia B. (October 25, 2012). "The 25 worst passwords of 2012". CNN. Archived from the original on October 31, 2012.
- 1 2 Newman, Jared (January 20, 2014). "The 25 worst passwords of 2013: 'password' gets dethroned". PC World .
- ↑ Waxman, Olivia (January 20, 2015). "These Are The 25 Worst Passwords of 2014". TIME.
- ↑ Chang, Lulu (January 19, 2016). "Wookie mistake: 'starwars' is now one of the world's 25 worst passwords". Digital Trends .
- ↑ Korosec, Kirsten (December 19, 2017). "The 25 Most Common Passwords of 2017 Include 'Star Wars'". FORTUNE.
- ↑ Ehrenkranz, Melanie (December 13, 2018). "The 25 Most Popular Passwords of 2018 Will Make You Feel Like a Security Genius". Gizmodo.
- ↑ Keck, Catie (December 18, 2019). "It's Time to Nervously Mock the 50 Worst Passwords of the Year". Gizmodo.
- ↑ Kelly, Heather (January 22, 2014). "'123456' tops list of worst passwords". CNN .
- 1 2 McGoogan, Cara (January 16, 2017). "The world's most common passwords revealed: Are you using them?". The Daily Telegraph .
- 1 2 "NCSC Reveals List Of World's Most Hacked Passwords". Forbes. Retrieved November 6, 2023.