Most Common Passwords in 2022 Are ‘password’ and ‘123456’

Photo of a Sign In Prompt

The most common passwords used globally in 2022 are shockingly basic, and most can be cracked in less than one second by hackers, a recent study by Nord Security’s password manager NordPass said. Among them are “password” and easily guessable sequences of numbers like “123456” or “123123.”

NordPass worked with independent cybersecurity specialists and evaluated a 3-terabyte database of cybersecurity incident research across 30 countries this year.

The study noted a recurring pattern that has persisted over the years — people tend to use numbers in sequence and base their passwords on themes like current events, fashion brands, and sports.

The Top 25 Most Common Passwords in 2022

According to NordPass’s study, these are the 25 most commonly used passwords out of a list of 200. It’s safe to say that if you see one of yours on this list — or even close to it — you’d better set up a new password immediately. Unfortunately, creating and storing strong passwords has become an essential cybersecurity practice in 2022.

  1. password
  2. 123456
  3. 123456789
  4. guest
  5. qwerty
  6. 12345678
  7. 111111
  8. 12345
  9. col123456
  10. 123123
  11. 1234567
  12. 1234
  13. 1234567890
  14. 000000
  15. 555555
  16. 666666
  17. 123321
  18. 654321
  19. 7777777
  20. 123
  21. D1lakiss
  22. 777777
  23. 110110jp
  24. 1111
  25. 987654321

This year, NordPass found “password” was used nearly five million times in their sample, eclipsing all other weak passwords by a significant margin.

Though password choices have not changed much from year to year, NordPass’s 2021 sample was slightly different. Then, the password “123456” topped global rankings, and “password” was second, but number sequences were just as popular as they are now.

As such, the majority of the 200 other passwords in this year’s study mostly comprise number sequences starting with “123,” or variations like a string of zeros, ones or other numbers. Other weak examples included “iloveyou,” “football,” and “samsung.”

Most Passwords Can Be Cracked in Less Than One Second

NordPass said most of the passwords in the top 200 list could be cracked — or hacked — in less than one second. Some, like “guest” and “col123456,” take around ten seconds, while others, like “Groupd2013”, can take up to three hours.

However, longer passwords such as “9136668099” take four days to crack, the study showed. This is evidence that passwords that are ten characters or longer — but not in a typical sequence — are immeasurably safer.

Current Events Affect User Password Choice

According to the study, users tend to get inspired by current events when creating their passwords. “There’s more than one way to get swindled on Tinder,” NordPass said, referencing the use of the dating app as a password 36,384 times in the study. “Using ‘tinder’ as your password is more risky than swiping right on a billionaire.”

Users were also inspired by events like the Oscars resulting in the password “Oscars” being used 62,983 times. Popular films and shows such as Encanto, Euphoria, and Batman which were released between 2021 and 2022 are still popular password choices, NordPass said. For instance, the password “batman” was used 2,562,772 times.

“While the worst passwords may change every year, human beings are creatures of habit. Every year, researchers notice the same pattern — sports teams, movie characters, and food items dominate every password list,” the study said.

The Dangers of Password Reuse

Using easily guessable credentials is one thing, but reusing them across multiple accounts can spiral into large-scale hacking campaigns and personal compromise. A recent study by password manager Dashlane said over 50 percent of passwords are reused globally.

For instance, hackers can breach millions of accounts by “stuffing” websites with stolen, weak credentials via automated programs — a.k.a a credential stuffing attack. Credential lists can often end up for sale on the dark web, which can easily be purchased by anyone in exchange for cryptocurrency.

In one such case in September, hackers were able to breach Microsoft Exchange servers — used by millions of enterprises worldwide primarily for email —  and deploy malicious applications onto these servers to target users with phishing emails which can lead to financial theft or identity fraud.

Another example — and among the biggest cybersecurity incidents to make the news this year — was this month’s Australian Medibank hack, which the company’s CEO said may have been caused by a stolen password.

Password security is vital. To make ill-intentioned hackers’ lives more difficult, we recommend a password manager like NordPass, which can store all of your passwords in a secure locker as well as create complex and secure passwords for your accounts.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.