Why Are We Still Using Bad Passwords? 123456 is the worst password of 2023. Users have chosen 123456 on more than 23 million breached accounts, even though it takes less than a second to crack. NordPass, the sponsor of the paper, claims that the popularity of 123456 has made it the #1 cracked password for 3 of the last 5 years. In 2019, 12345 from “Spaceballs” overtook it, and “password” did the same in 2022.
Only 2 of 2023’s top 25 passwords will resist an attacker for more than 10 seconds. The 17th most common password, “admin123”, can withstand cracking attempts for a whole 11 seconds. The most secure password in the top 25, “Pass@123”, can fend off an attack for 5 minutes.
|
|||||
|---|---|---|---|---|---|
| 2019 | 2020 | 2021 | 2022 | 2023 | |
| 01 | 12345 | 123456 | 123456 | password | 123456 |
| 02 | 123456 | 123456789 | 123456789 | 123456 | admin |
| 03 | 123456789 | picture1 | 12345 | 123456789 | 12345678 |
| 04 | test1 | password | qwerty | guest | 123456789 |
| 05 | password | 12345678 | password | qwerty | 1234 |
| 06 | 12345678 | 111111 | 12345678 | 12345678 | 12345 |
| 07 | zinch | 123123 | 111111 | 111111 | password |
| 08 | g_czechout | 12345 | 123123 | 12345 | 123 |
| 09 | adst | 1234567890 | 1234567890 | col123456 | Aa12345 |
| 10 | qwerty | senha | 1234567 | 123123 | 1234567890 |
| 11 | 1234567890 | 1234567 | qwerty123 | 1234567 | 1234567 |
| 12 | 1234567 | qwerty | 000000 | 1234 | 123123 |
| 13 | Aa123456. | abc123 | 1q2w3e | 1234567890 | 111111 |
| 14 | iloveyou | Million2 | aa12345678 | 000000 | Password |
| 15 | 1234 | 000000 | abc123 | 555555 | 12345678910 |
| 16 | abc123 | 1234 | password1 | 666666 | 000000 |
| 17 | 111111 | iloveyou | 1234 | 123321 | admin123 |
| 18 | 123123 | aaron431 | qwertyuiop | 654321 | 1111 |
| 19 | dubsmash | password1 | 123321 | 7777777 | 'P@ssw0rd |
| 20 | test1 | qqww1122 | password123 | 123 | root |
| 21 | princess | 123 | 1q2w3e4r5t | D1lakiss | 654321 |
| 22 | qwertyuiop | ompop | iloveyou | 777777 | qwerty |
| 23 | sunshine | 123321 | 654321 | 110jp110jp | 'Pass@123 |
| 24 | BvtTest123 | 654321 | 666666 | 1111 | 112233 |
| 25 | 11111 | qwertyuiop | 987654321 | 987654321 | 102030 |
| Nordpass | |||||
How can I keep my passwords safe?
Your password should have at least 12 characters
A longer password with more characters is better. It gives a hacker more combinations to try. Some sites may require a certain number of characters in your password, but generally, a password with at least 12 characters is a safe bet.
Use numbers, symbols, uppercase and lowercase letters
The more variety you have, the better. Be sure to include numbers, symbols, capital, and lowercase letters. Make everything as random as possible to keep the hackers out. For example, a password like ‘S#w%i&n(g967’ would be much more difficult to crack than ‘swing967.’
Avoid using any single word as a password. It’s too easy for a hacker to take one lucky guess from a common dictionary, like ‘dog’ or ‘banana.’ Even a password like ‘freeride’, which combines two dictionary words, is too simple.
Don’t use substitutions
Avoid replacing letters with common symbols, it can weaken your password. For example, if you want to use the word ‘lucky’ but instead write it as ‘1ucky.’ It’s too obvious because the 1 and the letter L look too similar.
Choose a passkey over a password
Whenever possible, opt for passkeys instead of passwords. Passkeys, which are unique codes tied to your device, offer more security and are less prone to breaches. Companies such as Amazon, Apple, Google, and Microsoft are increasingly supporting passkeys as a safer alternative.
rb-
We should approach NordPass’ findings with caution due to their unclear methodology. They are not very transparent about their methodology. The presser said the passwords were “compiled in partnership with independent researchers specializing in researching cybersecurity incidents. They evaluated a 4.3TB database extracted from various publicly available sources…”
There are some suspicious trends in the Nordpass’s data. English words make up all of the top 25 recognizable passwords. Quite a feat for over 24 billion credentials breached since 2016. Many other are numerical strings or the result of typing nearby keys on a QWERTY keyboard. Despite these issues, the report makes for interesting geek reading.
Related article
Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me on Facebook. Email the Bach Seat here.