The most popular passwords of 2023 are easy to guess and crack
Each year, analysts at various Internet security companies release lists of the most used (and known) passwords. These lists are based on leaked password database data.
The passwords that are on these lists may act as a warning for any Internet and electronic device user. It should have the title "don't use these passwords", but is it really that simple?
Some common passwords have been used for ages and they continue to be used. Are users really resistant to improving their online security?
NordPass' Top 200 Most Common Passwords list
NordPass released a list of top 200 common passwords last month. The company states that it compiled the list "in partnership with independent researchers". The analysis extracted passwords from a 4.3TB database that has been fed with data from publicly available sources.
The top 10 could be from any year in the past 20 years:
- 123456
- admin
- 12345678
- 123456789
- 1234
- 12345
- password
- 123
- Aa123456
- 1234567890
Mostly numbers in the top 10. The strings "admin" and "password" are common default passwords for certain devices, but they are also widely used by users.
You may wonder about some other passwords that you expected to be higher on the list. The popular "qwerty" password is on position 25, There is also "admin123" on 18, "user" on position 20 and "demo" on position 44.
All of these passwords have in common that brute force cracking runs take less than 12 seconds to find these passwords. The first password that requires a longer attack is "Eliska81". It is at position 40 and requires 3 hours to get cracked.
Another common type of password appends "@123" to a basic name. The list contains several examples of that, including "India@123" and "admin@123" as examples. These do take 3 hours to brute force as well.
Hasso Plattner Institut: most popular German passwords
The Hasso Plattner Institut releases its list of the most popular leaked passwords in Germany each year. The data comes from publicly available sources.
Here is the top 10:
- 123456789
- 12345678
- hallo
- 1234567890
- 1234567
- password
- password1
- target123
- iloveyou
- gwerty123
These passwords are not particularly difficult to crack either.
Are there explanations for the continued use of weak passwords?
Most of the popular leaked passwords have one thing in common: they are easy to remember and to type. Computer and electronic device users who don't use password managers have a tendency of selecting weaker passwords. Many reuse the same password over and over as well, which makes them a lucrative target.
It would go too far to classify all of these users as resistant to learning and be done with the analysis.
One explanation for the continued use divides accounts into important and unimportant ones. Important accounts benefit from improved security. These can be banking or finance accounts, social media accounts, gaming platform accounts or shopping accounts.
Services that don't require as much security may include throwaway accounts. Many sites require registration before content can be accessed. If you just want to access content once, you may not spend much thought on a secure password.
Similarly, any account that is not really linked to a user's identity and "read only" may not require a Fort Knox grade of security.
Another explanation looks at the leaked password databases. It is easier for analysts to brute force weak passwords or use dictionaries to identify previously leaked cleartext password.
The result needs to be put into relation to the entire list of passwords. Is the percentage of passwords that the analysts could not create stagnating, decreasing or increasing?
What you may do to protect all of your accounts
The most common advice is to use a password manager. These are available as free and paid solutions, and have varying degrees of comfort and feature support.
Some passwords managers are available on nearly any platform. Bitwarden is such an example, but there are others.
While it takes a bit of effort to get the password manager installed on all devices, everything after the initial setup is almost automated. When you create a new account and password on one device, it gets synced to all other devices automatically.
There are limitations. You can't run (most) password managers on Smart TVs, which makes typing streaming service account passwords that are secure a nuisance.
Still, with a password manager, you may create unique strong passwords for any service. Even your throwaway accounts may never be cracked then, which is not too bad of a thing if you think about it.
Passkeys is an upcoming standard that won't replace passwords entirely, but in some places. The system relies on local cryptographic keys that don't require a user password anymore. Users authorize sign-ins and requests with their PIN, biometrics or hardware keys, such as Google's Titan security key.
Now You: how do you handle password security on your devices?
> All of these passwords have in common that brute force cracking runs take less than 12 seconds to find these passwords. The first password that requires a longer attack is “Eliska81”. It is at position 40 and requires 3 hours to get cracked.
> Another common type of password appends “@123” to a basic name. The list contains several examples of that, including “India@123” and “admin@123” as examples. These do take 3 hours to brute force as well.
No, this is not correct and not a good representation of the dangers of password cracking. 12 seconds? 3 hours? On what hardware are you talking about? What kind of hash and stretching and salt algorithms were used? You can’t measure the difficulty of cracking passwords in time, you need to take the system as a whole to understand security in any meaningful way. Also, “brute-forcing” is about trying every possibility, so every password would have an equal likelihood of being cracked at any time.
However, nobody ever brute-forces password hashes; any hacker that is brute-forcing hashes has already failed. Brute-forcing passwords is the absolute last resort if everything else has failed and only works if one has astronomical computing power and incredible amounts of capital (in other words, the government).
Finally, who cares that common passwords exist, this article says nothing about how many people are using these passwords.
But if someone wants in bad enough, they won’t give up! They will keep on trying until they get that password!
You’ve got to be completely off your rocker to be using insecure passwords in this day and age. Yet I know people who use the same password for every single account they have. Add to that they don’t cover the terminal with their hand when withdrawing cash from an ATM even if somebody they don’t know is standing right next to the machine. Crazy.
If this article is actually true (which is questionable), it suggests a significant issue with poorly designed software that permits insecure passwords. Additionally, I question the accuracy of these lists. For instance, one of the alleged common “German” passwords is “qwerty123.” However, on a German keyboard, the “Y” and “Z” keys are swapped, making the equivalent sequence “qwertz123.” This discrepancy casts doubt on the article’s credibility, leading me to suspect it might be clickbait.
Clickbait or not, its message is true. I use KeePass set to 32 chars default length and no password is reused. I also use Dvorak so qwerty is harder to type, but aoeuidhtns is not a secure password either.
I don’t understand. Warnings are regularly published, here and on many other sites, even media (radio, TV) mention the problem of simplistic passwords, and yet the beat goes on. Browsers offer native password managers, dedicated password management extensions offer easy to use 1-click login, external applications exist as well …
What explains it all? Laziness, irresponsibility and /or the mental incapacity to establish a relationship between what is feasible on the user’s side and the consequences of not doing it : hacking, identity theft, real issues far more dramatic than using a dedicated tool to create a strong password and retrieve it with a click.
Hopeless as it seems given this is not a recent problem, given it’s been brought to the attention of all for years, given so many, too many of us continue to be deaf and blind.
There is a similar issue with vaccines. They work to help the body’s immune system establish better protection for the body without the risks of the real infection. However, many people would rather believe lies than accept a truth which makes them uncomfortable.
There is also a much bigger issue with climate disruption…
@pHROZEN gHOST but you should not force other for vax, or fire them because you dont get vax
@pHROZEN gHOST, maybe, but disagreeing is not as such being blind and deaf. I don’t conceive that users who avoid strong passwords do so by disagreeing that strong passwords are a basic and fundamental tool of privacy and security. Beyond an hysterical refusal of vaccines (which is often incorporated in a wide, wild, often conspiration led anti-system dogma) there are serious arguments shared by several medicine doctors themselves that develop a rational approach of the validity of the very vaccination concept. But I guess that’s another topic.
The brain lazinesses of the people deserve it. Can’t believe.