List of the most common passwords

Last updated December 11, 2024

This is a list of the most common passwords , discovered in various data breaches. Common passwords generally are not recommended on account of low password strength.^[1]

List

NordPass

NordPass conducted the most breached passwords research in 2021.^[2] The company gathered the top 200 worst passwords from a database of 275,699,516 passwords.

Top 20 most common passwords according to NordPass^[3]
Rank	2021
1	123456
2	123456789
3	12345
4	qwerty
5	password
6	12345678
7	111111
8	123123
9	1234567890
10	1234567
11	qwerty123
12	000000
13	1q2w3e
14	aa12345678
15	abc123
16	password1
17	1234
18	qwertyuiop
19	123321
20	password123

SplashData

The Worst Passwords List is an annual list of the 25 most common passwords from each year as produced by internet security firm SplashData.^[4] Since 2011, the firm has published the list based on data examined from millions of passwords leaked in data breaches, mostly in North America and Western Europe, over each year. In the 2016 edition, the 25 most common passwords made up more than 10% of the surveyed passwords, with the most common password of 2016, "123456", making up 4%.^[5]

Top 25 most common passwords by year according to SplashData
Rank	2011^[6]	2012^[7]	2013^[8]	2014^[9]	2015^[10]	2016^[5]	2017^[11]	2018^[12]	2019^[13]
1	password	password	123456	123456	123456	123456	123456	123456	123456
2	123456	123456	password	password	password	password	password	password	123456789
3	12345678	12345678	12345678	12345	12345678	12345	12345678	123456789	qwerty
4	qwerty	abc123	qwerty	12345678	qwerty	12345678	qwerty	12345678	password
5	abc123	qwerty	abc123	qwerty	12345	football	12345	12345	1234567
6	monkey	monkey	123456789	123456789	123456789	qwerty	123456789	111111	12345678
7	1234567	letmein	111111	1234	football	1234567890	letmein	1234567	12345
8	letmein	dragon	1234567	baseball	1234	1234567	1234567	sunshine	iloveyou
9	trustno1	111111	iloveyou	dragon	1234567	princess	football	qwerty	111111
10	dragon	baseball	adobe123^[a]	football	baseball	1234	iloveyou	iloveyou	123123
11	baseball	iloveyou	123123	1234567	welcome	login	admin	princess	abc123
12	111111	trustno1	admin	monkey	1234567890	welcome	welcome	admin	qwerty123
13	iloveyou	1234567	1234567890	letmein	abc123	solo	monkey	welcome	1q2w3e4r
14	master	sunshine	letmein	abc123	111111	abc123	login	666666	admin
15	sunshine	master	photoshop^[a]	111111	1qaz2wsx	admin	abc123	abc123	qwertyuiop
16	ashley	123123	1234	mustang	dragon	121212	starwars	football	654321
17	bailey	welcome	monkey	access	master	flower	123123	123123	555555
18	passw0rd	shadow	shadow	shadow	monkey	passw0rd	dragon	monkey	lovely
19	shadow	ashley	sunshine	master	letmein	dragon	passw0rd	654321	7777777
20	123123	football	12345	michael	login	sunshine	master	!@#$%^&*	welcome
21	654321	jesus	password1	superman	princess	master	hello	charlie	888888
22	superman	michael	princess	696969	qwertyuiop	hottie	freedom	aa123456	princess
23	qazwsx	ninja	azerty	123123	solo	loveme	whatever	donald	dragon
24	michael	mustang	trustno1	batman	passw0rd	zaq1zaq1	qazwsx	password1	password1
25	Football	password1	000000	trustno1	starwars	password1	trustno1	qwerty123	123qwe

Keeper

Password manager Keeper compiled its own list of the 25 most common passwords in 2016, from 25 million passwords leaked in data breaches that year.^[15]

Top 25 most common passwords according to Keeper
Rank	2016^[15]
1	123456
2	123456789
3	qwerty
4	12345678
5	111111
6	1234567890
7	1234567
8	password
9	123123
10	987654321
11	qwertyuiop
12	mynoob
13	123321
14	666666
15	18atcskd2w
16	7777777
17	1q2w3e4r
18	654321
19	555555
20	3rjs1la7qe
21	google
22	1q2w3e4r5t
23	123qwe
24	zxcvbnm
25	1q2w3e

National Cyber Security Centre

The National Cyber Security Centre (NCSC) compiled its own list of the 20 most common passwords in 2019, from 100 million passwords leaked in data breaches that year.^[16]

Top 20 most common passwords according to NCSC
Rank	2019^[16]
1	123456
2	123456789
3	qwerty
4	password
5	1111111
6	12345678
7	abc123
8	1234567
9	password1
10	12345
11	1234567890
12	123123
13	000000
14	Iloveyou
15	1234
16	1q2w3e4r5t
17	Qwertyuiop
18	123
19	Monkey
20	Dragon

Notes

1 2 The presence of "adobe123" and "photoshop" on 2013's list was skewed by the large number of Adobe passwords included in the collected data due to a major security breach in 2013 that affected over 48 million Adobe users.^[8]^[14]

Related Research Articles

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

In cryptanalysis and computer security, password cracking is the process of guessing passwords protecting a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

Hacking Team was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

PlayerScale, Inc. is a Belmont-based gaming infrastructure provider. As of 23 May 2013 it operates as a subsidiary of Yahoo!, but it is still functioning as a stand-alone business unit.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of more than 2,500 users was initially released. The company initially denied that its records were insecure, but it continued to operate.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Alex Holden is the owner of Hold Security, a computer security firm. As of 2015, the firm employs 16 people.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Collection #1 is a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

↑ Titcomb, James (March 23, 2016). "Do you have one of the most common passwords? They're ridiculously easy to guess". The Telegraph. Retrieved May 1, 2017.
↑ "The 200 Worst Passwords of 2021 Are Here and Oh My God". gizmodo.com. November 17, 2021.
↑ "Most common passwords of 2021". nordpass.com. Retrieved December 1, 2021.
↑ Mastroianni, Brian (January 20, 2016). "These were the 25 worst passwords of 2015". CBS News.
1 2 Bruner, Raisa (January 23, 2017). "The 25 Worst Passwords You Should Never Use". TIME.
↑ Ho, Erica (November 22, 2011). "The 25 Most Popular (and Worst) Passwords of 2011". TIME.
↑ Waxman, Olivia B. (October 25, 2012). "The 25 worst passwords of 2012". CNN. Archived from the original on October 31, 2012.
1 2 Newman, Jared (January 20, 2014). "The 25 worst passwords of 2013: 'password' gets dethroned". PC World .
↑ Waxman, Olivia (January 20, 2015). "These Are The 25 Worst Passwords of 2014". TIME.
↑ Chang, Lulu (January 19, 2016). "Wookie mistake: 'starwars' is now one of the world's 25 worst passwords". Digital Trends .
↑ Korosec, Kirsten (December 19, 2017). "The 25 Most Common Passwords of 2017 Include 'Star Wars'". FORTUNE.
↑ Ehrenkranz, Melanie (December 13, 2018). "The 25 Most Popular Passwords of 2018 Will Make You Feel Like a Security Genius". Gizmodo.
↑ Keck, Catie (December 18, 2019). "It's Time to Nervously Mock the 50 Worst Passwords of the Year". Gizmodo.
↑ Kelly, Heather (January 22, 2014). "'123456' tops list of worst passwords". CNN .
1 2 McGoogan, Cara (January 16, 2017). "The world's most common passwords revealed: Are you using them?". The Daily Telegraph .
1 2 "NCSC Reveals List Of World's Most Hacked Passwords". Forbes. Retrieved November 6, 2023.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[fn1-15] 1 2 The presence of "adobe123" and "photoshop" on 2013's list was skewed by the large number of Adobe passwords included in the collected data due to a major security breach in 2013 that affected over 48 million Adobe users.^[8]^[14]

[1] Titcomb, James (March 23, 2016). "Do you have one of the most common passwords? They're ridiculously easy to guess". The Telegraph. Retrieved May 1, 2017.

[2] "The 200 Worst Passwords of 2021 Are Here and Oh My God". gizmodo.com. November 17, 2021.

[3] "Most common passwords of 2021". nordpass.com. Retrieved December 1, 2021.

[4] Mastroianni, Brian (January 20, 2016). "These were the 25 worst passwords of 2015". CBS News.

[splashdata2016-5] 1 2 Bruner, Raisa (January 23, 2017). "The 25 Worst Passwords You Should Never Use". TIME.

[6] Ho, Erica (November 22, 2011). "The 25 Most Popular (and Worst) Passwords of 2011". TIME.

[7] Waxman, Olivia B. (October 25, 2012). "The 25 worst passwords of 2012". CNN. Archived from the original on October 31, 2012.

[splashdata2013-8] 1 2 Newman, Jared (January 20, 2014). "The 25 worst passwords of 2013: 'password' gets dethroned". PC World .

[9] Waxman, Olivia (January 20, 2015). "These Are The 25 Worst Passwords of 2014". TIME.

[10] Chang, Lulu (January 19, 2016). "Wookie mistake: 'starwars' is now one of the world's 25 worst passwords". Digital Trends .

[splashdata2017-11] Korosec, Kirsten (December 19, 2017). "The 25 Most Common Passwords of 2017 Include 'Star Wars'". FORTUNE.

[splashdata2018-12] Ehrenkranz, Melanie (December 13, 2018). "The 25 Most Popular Passwords of 2018 Will Make You Feel Like a Security Genius". Gizmodo.

[splashdata2019-13] Keck, Catie (December 18, 2019). "It's Time to Nervously Mock the 50 Worst Passwords of the Year". Gizmodo.

[14] Kelly, Heather (January 22, 2014). "'123456' tops list of worst passwords". CNN .

[keeper2016list-16] 1 2 McGoogan, Cara (January 16, 2017). "The world's most common passwords revealed: Are you using them?". The Daily Telegraph .

[NCSCList-17] 1 2 "NCSC Reveals List Of World's Most Hacked Passwords". Forbes. Retrieved November 6, 2023.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[a]

[15]

[16]

[14]