Cybersecurity firm NordPass has released its annual top 200 most common passwords list. It includes several old favorites, including ‘123456’ and ‘password,’ but also brings new ones like ‘Euphoria and ‘Encanto.’ The list offers a breakdown of common passwords by country, gender, and even the average time it takes to crack the listed passwords. Experts say you should use the list as a guide to passwords to avoid.  “A bad password is something that can be guessed easily,” Paolo Gasti, a professor of computer science at the New York Institute of Technology who researches passwords, told Lifewire in an email interview. “Users tend to choose something easy to remember (e.g., “password,” “baseball”), something easy to type (e.g., ‘qwerty,’ ‘a1b2c3’, ‘123456’), or something familiar (e.g., the name of a pet). More advanced users tweak their passwords using ’leetspeak,’ i.e., they replace one or more letters with numbers and symbols (e.g., ‘password’ becomes ‘p4s$w0rd’), or use mixed case (e.g.,’ iLoVeyOu’).”

Terrible Passwords

NordPass found the most common password across all countries polled is ‘password,’ which took the top spot from ‘123456’, the most common password in 2021 and 2020. Before 2020, the most common password in the world was ‘12345’. In the United States, the most common password of 2022 was ‘guest,’ with ‘password’ coming in fourth place. 12345 and 123456 are also on the list.  Gasti noted that several lists on the Internet include hundreds of millions of passwords leaked over the years, thus making those passwords breakable in real-time. For leetspeak and mixed-case passwords, several password-cracking programs, such as HashCat and John the Ripper, can “automatically and efficiently apply these transformations starting from a plain password,” he added. “These tools render those seemingly advanced tricks useless. Further, a bad password is one that a user uses across multiple accounts. If one of them is breached, the attacker can easily break into all other accounts protected by the same password.” Paul Kincaid, the vice president of information security at the cybersecurity firm SecureAuth, said in an email to Lifewire that selecting a password based on something within your personal life that could easily be found on one of the social media platforms. Also, he said you should never use the same password on multiple sites – if one site gets compromised and your password is exposed, then your accounts on all of the sites where you use that password will be vulnerable to compromise. “Outside of the well-known passwords, such as password, 12345, or something based on a keyboard pattern such as qazwsx—just simply adding a character or using common substitutions, such as $ for S or 0 (zero) for O (capital ‘O’) or incrementing a number at the end of a password are very common techniques that the attackers know about and utilize to compromise accounts,” he added.

Making More Secure Passwords

The best way to choose a password is to pick a string of letters and numbers that is long and random, Gasti said. For instance, he added that a password like ‘NJvJpCnG96Wz’ is “virtually impossible” to guess. Unfortunately, it is also “virtually impossible to remember,” Gasti said. A better approach is to choose a list of random words.  Sergio Tenreiro de Magalhaes, who teaches cybersecurity at Champlain College Online, said via email that you should use sentences instead of combinations of letters when choosing a password.  “Sentences are long, which makes them hard to break by trying all possible combinations of characters, and easier to memorize,” he added. “Add punctuation at the end to increase the complexity of the password. Something like ‘The full moon comes every 28 days!’ is an easy sentence to memorize; it is long (34 characters), and it has uppercase letters, lowercase letters, numbers, and symbols.” But the best password might be none at all. Kincaid said the easiest and most effective means of creating a password is to use a password manager where you can have unique and random passwords for each account.  “Also, he said, a password manager will allow you to have passwords as long as you would like,” he added. “You do not have to remember a 36-random-character password if it is stored within a password manager.”