You should change your password. It sucks, according to NordPass

People often choose terrible passwords to protect their accounts. Don’t believe it? NordPass has proof—it analyzed leaked passwords to find the top 200 most common ones, and they’re bad. Think ‘crackable in less than one second’ bad.

At the top of the list is 123456, followed by the as-easily cracked 123456789 and 12345678. (Seems people love mashing numbers along their number row). The overwhelming majority of the 200 can be cracked in seconds, with several extending to a few hours and one particular exception of 12 days (g_czechout). Most noteworthy: The self-aware but still indefensible changeme, which can also be cracked in under a second.

Further reading: I finally ditched LastPass—and switching was a nightmare

Why is this so problematic? With so many people reusing passwords, their accounts become easy targets. Further, when data breaches and leaks reveal new passwords that get often used across the web, that gives hackers more ammunition for attacks (like credential stuffing).

These and the remaining most common passwords were found as part of the company’s annual look at data publicly available online, which includes the dark web. For this sixth run, NordPass worked with sister service NordStellar (which focuses on corporate security) to comb through 2.5TB of info with 44 countries of origin and encompassing both personal and corporate credentials.

According to NordPass, 123456 continues to dominate the leaderboard during this annual exercise—it’s held the top spot for five of the six years. (Yikes.) The company’s subsequent conclusion is that people just haven’t improved their password habits.

But it doesn’t have to be this way. Online security takes just a few steps, and tools exist to make them easy—like password managers. NordPass’ report may make a case for its own service, but any good password manager simplifies creating and tracking unique, strong passwords. 

Many now also support passkeys, which are an even more secure form of authentication. These days, I recommend them over passwords for most people. They’re the way to go if you hate thinking about or remembering passwords, since they rely on a PIN or biometrics (e.g., your fingerprint or facial recognition) for use. All you need is a device or a password manager to store them. (Though for safety, I also advise having your email password still be separate from your password manager’s—just in case you get locked out of the latter. A backup device for your passkeys doesn’t hurt either).

You can check out NordPass’s list of the top 200 most common passwords for yourself, which also breaks down the top 20 for specific countries as well. As a teaser, have a look at the United States’ hall of shame below.

P.S.: If any of your passwords is on this list, change it now. Do it out of love for your future self.

20 most common passwords in the United States (2024)

1. secret
2. 123456
3. password
4. qwerty123
5. qwerty1
6. 123456789
7. password1
8. 12345678
9. 12345
10. abc123
11. qwerty
12. iloveyou
13. Password
14. baseball
15. 1234567
16. 111111
17. princess
18. football
19. monkey
20. sunshine