How secure is your password? For many, the answer will be not very. Research from NordPass, developed by the team behind one of the best VPNs, NordVPN, has revealed the top 200 most common passwords for the last year, across 44 countries. This is the sixth edition of the research, with this year's instalment being the first to reveal both personal and corporate password data.
Globally, "123456" is the most common, with over 3 million uses. Add "789" onto the end of that and you get the second most common password, used by 1.6 million people. Almost half of the world's most common passwords this year are made of the easiest keyboard combinations of numbers and letters, with "qwerty", and its many variations, occupying top 20 spots.
Countries in common?
The US stands alone as "secret" tops the list here, a password not found amongst American's top choices last year. The word "password" can now be considered one of the most common and enduring passwords – year after year it ranks near the top of every country's list. In the US, it is the third most-used password, and it's number one in the UK and Australia.
1. secret
2. 123456
3. password
4. qwerty123
5. qwerty1
The study found that 78% of the world's most common passwords can be cracked in less than a second. Compared to last year (70%), the situation is getting worse. Experts have repeatedly urged internet users to make their passwords stronger but many have seemingly misunderstood the assignment.
The popularity of "qwerty" has been challenged by the similarly weak "qwerty123", now the most common password in Canada, Lithuania, the Netherlands, Finland, and Norway. In the US, this password made a huge jump this year, breaking into the top five.
Is this just a personal problem?
This year's edition of the research also examined corporate password usage. You may, or may not, be surprised to know that 40% of the most common passwords used among individuals and business representatives are the same.
There are some interesting differences however. Default passwords such as "newmember" or "admin" are more commonly used for business accounts. Passwords presumably created for new users, and meant for changing, such as "newpass" or "temppass", often get leaked because people are not big fans of changing their passwords.
"No matter if I wear a suit and tie at work or I'm scrolling through social media in my pyjamas, I am still the same person. This means that regardless of the setting I am in, my password choices are influenced by the same criteria – usually convenience, personal experiences, or cultural surroundings", says Karolis Arbaciauskas, head of business product at NordPass.
"Businesses ignoring these considerations and leaving password management in their employees' hands risk both their company's and client's security online."
Password overload
According to previous research by NordPass, a single internet user has an average of 168 passwords for personal use and 87 passwords for work use. Managing this load is simply too complicated for most and experts say it's only natural for people to create weak passwords and reuse them.
However, weak passwords created by company employees serve hackers because with brute-force, dictionary, or similar large-scale attacks, they can gain easy access to the company's IT systems. Another common scenario sees hackers break into the company using leaked personal credentials of an employee just because they used the same passwords for both personal and work accounts.
Improving your passwords
If you are worried about the strength of your password, there's no need to panic. You can very quickly improve your personal security in a few steps.
The first, and easiest step, is simply to create longer, more complex passwords. Passwords should be as long as possible, at least 20 characters long, and be a random combination of letters, numbers, and special characters. A longer password can do wonders and is a simple change. Alternatively, you can use a passphrase, which is a long string of random words.
A second easy step is never reusing passwords. Each of your accounts should have a unique password because if one account gets stolen, hackers can use the same credentials for other accounts.
These are quick and easy steps you take to instantly boost your account security. If you want to go further and have some money to spare, there are a number of password solutions available. One of these is using a password manager. Password managers allow you to easily and securely store all your passwords in one place. Autofill features mean you never have to remember passwords and many of the best password managers will generate, and remember, secure, complex passwords for you.
You can also set up 2-factor authentication (2FA), which adds an additional layer of security to your account. If your password is compromised, 2FA prevents hackers accessing your account. 2FA alerts often come to your phone and you have to approve the login before your account can be accessed.
NordVPN's plus plan includes its password manager NordPass, as well as Threat Protection Pro, Nord's cybersecurity monitoring tool, which scans for data leaks and protects against malware and phishing threats. One of the best beginner VPNs, ExpressVPN, includes its ExpressVPN Keys in its plan. The team behind one of the most secure VPNs, Proton VPN, also offers a password manager. Proton Pass is focused on privacy, and is included in the Proton Unlimited plan.
Switching to passkeys is another option. Passkeys are considered the most promising alternative to replace passwords for good. Most modern online service providers, including Google, Microsoft, and Apple, offer passkey support.
Businesses can adopt password policies in their organisations, setting up 2FA and rules for employees to protect their information. Human error is still a huge cause of cybercrime, so following these steps, and changing your password behaviour can go a long way in protecting yourself online.