Look, I get it. No one likes managing their passwords. It’s so much easier to use the same, simple password for every account, so when you go to sign in, you punch in a familiar phrase from muscle memory, and you’re in.
Now, the lecture: This is horrific from a security perspective. Your password is too easy to guess, which means it’s too easy for hackers to break into your accounts. And if you use the same easy-to-guess password for everything, well, you’re in for a bad time.
The most common passwords are almost all terrible
You don’t have to take my word for it: For the sixth year in a row, NordPass (in collaboration with NordStellar) has released a list of the most common passwords people use on the internet. This list spans the top 200 most common passwords used across 44 countries from around the globe, based on 2.5TB of data, including information sourced from the dark web. NordPass found some of this data from passwords leaked by hackers or stolen via malware. Because most of these were tied to email addresses, NordPass could separate passwords between corporate and personal accounts, although they found this year, there were few differences between the passwords people use for work and the ones they use at home.
Looking at the most common passwords from all 44 countries studied here, many aren’t going to be surprising. The most used password, for example, used over three million times, is “123456.” The second most used, used over 1.6 million times, is “123456789.”) Number four is “password,” while three variations of “qwerty” make it into the top 20.
Some personal favorites scrolling through this list are: “dragon” (#20), “monkey” (#21), “aaaaaa” (#54), “fuckyou” (#60), “computer” #63, “trustno1” (#135), “letmein” (#144), and “cheese” (#200). If you use any of these, kudos on the amusing password. Now change it immediately.
Bad passwords can be broken in minutes (or less)
Many of these are obviously bad passwords. Using something like “password,” “123456,” or “qwerty” is simple for both humans and computers to guess. However, most of these passwords are bad, and not just because they’re commonly used. Many are simply weak passwords, structured in a way that a computer would crack quickly. In fact, most are crackable in under one second. Scrolling through the list, that becomes evident. It might take a human a long time to figure out someone’s password is 123456c, but a computer can break it almost instantaneously.
To be fair, some of these take minutes or hours more, while a few do take quite some time to break: “111222tianya,” number 75, would take one full day to crack, while “g_czechout,” number 157, would take 12 days. But the vast majority of these passwords are almost as bad as not having a password at all.
What makes a strong and unique password?
When it comes to making good passwords, don’t choose something that means anything to you. In fact, you don’t want something that means anything to anyone: The more obscure and/or random the password, the harder it will be for a computer to crack, and it’ll probably be impossible for a human to guess.
But that doesn’t mean you need to start mashing away at the keyboard every time you make a new password. One effective method to creating strong and unique passwords is to string together a few totally random words together. Use this aging but still accurate xkcd comic’s take on the subject as a model: Cartoonist Randall Munroe demonstrates how a password like “Tr0ub4dor&3″ seems strong on the surface (a human would never guess it), but a computer could crack it fairly easily. Plus, it’s hard to remember. Connecting four random words is way harder for computers and humans alike to figure out, and you might have an easier time remembering it (the now infamous “correcthorsebatterystaple.” Change some of the letters to characters, include an underscore or two, and you’ve got a strong password cooking.
Just get a password manager already
You can read more about creating memorable passwords that are strong and unique in our guide here. Honestly though, you really only need to remember one strong and unique password, because the rest of them should be locked away in a password manager. That removes the temptations to make any of these passwords memorable: The manager remembers them, so you don’t have to. They’ll even make the passwords for you!
If you need help finding one, our sister site PCMag has a list of the best password managers they’ve tried in 2024. Of course, you can always use the free password manager that comes with your platform of choice. Apple’s new Passwords app isn’t too bad for managing your passwords across iPhone, iPad, and Mac, although it will be more limited than a dedicated third-party password manager.
Even good passwords don’t make your account secure
Passwords get too much attention anyway. You should also be coupling them with two-factor authentication on any account that supports it, preferably via an authentication app rather than a simple text message. If you have 2FA set up, a compromised password won’t be enough for hackers to break into your account: They’ll also need access to the code on your trusted device.
If companies like Apple and Google get their way, passkeys might replace the whole system altogether. Passkeys combine passwords and 2FA together into one secure system. You don’t come up a password; rather, your secondary device is the password, storing the secure passkey for you and only you to access. As long as you can authenticate yourself, you’re in. It’s a great concept, and could both simplify authentication and enhance its security. But seeing as so many of us are still using “password” for everything, we’re going to be a long time getting there.
-
-
/cdn.vox-cdn.com/uploads/chorus_asset/file/24774108/STK156_Instagram_threads_3.jpg)
-
-
-
-
-
-
