People are Still Using the Dumbest Passwords Available

Start Slideshow

A sticky note on a laptop keyboard reading "my password 123456" — If you were under the assumption that people would have stopped using “123456" as their password in 2022, you would be sorely mistaken.

If you were thinking that most people would have learned by now not to use “password” as the password for their sensitive systems, then you would be giving too much credit to the general scrolling public.

Cybersecurity researchers from Cybernews and password manager company NordPass both independently reported this week on data surrounding the most commonly-used passwords. Trying to discern the frequently used words, phrases, and numbers among the general public wouldn’t be simple if it weren’t for the troves of leaked passwords being sold on the dark web.

In a release sent to Gizmodo, Cybernews said it based its data on a list of 56 million breached or leaked passwords in 2022 found via databases darknet and clearnet hacker forums. Some of the most-used passwords were exactly what you expect, easy-to-remember junk passwords for company accounts, including “123456,” “root,” and “guest” all looking pretty in the top three.

NordPass, on the other hand, listed its top passwords by country and the supposed gender of the user. In their case, “password” sat in the number one spot for most-used password throughout the globe. Some countries had very specific passwords that were commonly used, such as “liverpool” being the number 4 most-used password in the UK despite it being 197 in the world. The number 2 most-used password for Brazil accounts is “Brasil” while in Germany, number 5 is “hallo.”

In an email to Gizmodo, NordPass said the list of passwords was built by a team of independent researchers who compiled 3TB of data from listings on the dark web, including some data that was leaked in data breaches that occurred in 2022. The company noted that some data might be from late 2021, though the passwords were listed on the dark web in the new year.

Cybernews also mentioned that 22% of passwords recovered from the dark web were only using lowercase letters. Another 38% were using lowercase letters and numbers. This is recognized by most cybersecurity researchers as far from safe from brute force password attacks.

Other than that, passwords were ranked simply by how often they were used in these listings. NordPass noted that many passwords were just a single word, which is one of the easiest kinds of passwords to crack, and for somebody with a knowledge of common passwords, it might not even require brute force or other cracking tricks. Company names were even listed in some passwords, which may point to laypeople taking the name of their device, or companies themselves using lax password security practices. Cybernews’ research also noted nearly 25% of the passwords they found only used eight characters. Somewhere around 16% used just four.

Any new password a user creates should be much longer than one word—at least 12 characters—should use upper and lowercase letters, numbers, and symbols, and should avoid any of the common words or simple phrases. Cybernews noted that only a little more than half of the passwords the team scrutinized were simple unique words often associated with major brands or teams. Though most passwords are “hashed,” as in they’re scrambled by algorithms to make it unclear to anybody breaching a system what the password is, the issue is that bad actors can understand how a commonly-used password is hashed, making it that much easier to break.

Click through the slides to see a list of some of the most-used passwords included from both reports, including some truly inane and bizarre passwords used by thousands.

Previous Slide

Next Slide

2 / 9

Dumbest default passwords

A wall panel with several blank notes and one reading password: qwerty — “QWERTY” was listed as one of the most used passwords in the U.S. by NordPass in 2022.

Both Cybernews and NordPass mentioned that some of the most stereotypically idiotic passwords are still being picked up by hackers in the year of our Lord 2022. For all that is holy, there’s no reason to use “password” or “123456” for any account, whether its for personal or general use.

NordPass does not include exact figures for some of these results, but lists them as some of the most-used passwords scraped up from dark web. Top dumb defaults included:

password
123456
admin
root
guest
service
111111
123123
qwerty

Previous Slide

Next Slide

3 / 9

Passwords by potty mouths

A jar with money sitting inside it with the words swear jar on its outside. — Photo: Grega2205 (Shutterstock)

NordPass noted that the word “fuck” had been used in 21,223,795 passwords recovered from the dark web. Cybernews similarly found that “ass” was recovered in 292,869 passwords.

Interestingly enough, some passwords such as “bobo” or “puta” are Spanish insults that were counted well over a million times each in the datasets used by the researchers for Nordpass.

Some of the worst offending expletives included:

fuck
ass
bitch
asshole
tit
shit
sex
xxx
butt
dick

Previous Slide

Next Slide

4 / 9

Please stop using a company name as your password

Apple was one of the top-listed passwords compared to other company names by Cybernews.

Photo: Feline Lim (Shutterstock)

If you think this would be obvious, then you obviously never spent time at a company in a small town run by folks who may be too old to really understand the basics of cybersecurity.

Some of the most-abused company names appearing in passwords on the dark web include:

apple
amr
yahoo
aes
aon
dell
gap
nike
google
emc

Previous Slide

Next Slide

5 / 9

Please don’t use a sports team as a password

Vidal Brujan wearing a red sox uniform stands on a plate gesturing with his hands — The Boston Red Sox were one of the most listed sports teams being used for passwords.

As much as some users might think using a (supposedly) anonymous code to unlock an account or device is a good way to support your favorite team, it really isn’t. NordPass noted Red Star Belgrade, a Serbian soccer club, was used 58,554,280 times in the passwords they recovered. Coming close behind were the Detroit Red Wings and Boston Red Sox which were both used over 36,000,000 times. Similarly, Cybernews reported Basketball teams including the Miami Heat, Sacramento Kings, and Phoenix Suns were all put through their paces in stolen passwords.

Some of the worst offenders include:

Red Star Belgrade
Detroit Red Wings
Boston Red Sox
Columbus Blue Jackets
Toronto Blue Jays
FC Roma
Inter Milan
Real Madrid
Phoenix Suns
Orlando Magic
Tampa Bay Rays
Utah Jazz
Los Angeles Lakers
New York Rangers

Previous Slide

Next Slide

6 / 9

Video game titles make for bad passwords

A person plays Dota 2 on a laptop — “Dota” makes for a terrible password for many reasons.

If you were going to make use a video game as a password, you might as well use something long, like Naruto Shippuden Ultimate Ninja Storm 4: Road to Boruto or even Peter Jackson’s King Kong: The Official Game of the Movie.

Unfortunately, NordPass reported that many passwords scraped by hackers included:

arma (Based on the Arma first person military simulator series)
nba
rust
raft
gta (the Grand Theft Auto series)
destiny
sims
fifa
forza
dota

Previous Slide

Next Slide

7 / 9

Movie names and famous media franchises are also terrible passwords

A promotional stand for the movie Coco — Coco is a great movie, but makes a terrible password.

How many people saw and liked the 1994 film Leon: the Professional? Well, apparently it was enough that it took NordPass number spot of most used password based on a movie. Then again, a hell of a lot of people like the Disney movie Coco (and who can blame them?).

Here’s a small helping of the worst offenders:

leon
coco
joker
matrix
starwars
spiderman
alien
maverick (likely from Top Gun)
psycho
terminator

Previous Slide

Next Slide

8 / 9

Using your own, or anyone’s, name in passwords is bad practice

A wall of post it notes with different names on them. — Hate to break it to you, none of these names make good passwords.

How many people in the world have the name “Anna?” How about “Ava?” According to Cybernews, 89,494 and 78,800 people respectively used those two names for passwords. Even if this wasn’t their own name, even if it was the name of their child or the owner of their favorite corner store, it’s not worth putting a name, no matter how common, as a password, especially if it’s not used in a complex phrase. Similarly, surnames like “King” were found 70,666 times by Cybernews, while “Bell” was recorded another 62,891 times.

Some of the most-used names included:

Anna
Ava
king
Bell
Ella
Leo
Alex
Max
Eva
Jack

People Are Still Using the Dumbest Passwords Available

People Are Still Using the Dumbest Passwords Available

Multiple reports based on dark web data list 'password,' ‘admin,’ ‘123456,’ and more as some of the most common passwords scraped up by hackers.

Dumbest default passwords

Dumbest default passwords

Passwords by potty mouths

Passwords by potty mouths

Please stop using a company name as your password

Please stop using a company name as your password

Please don’t use a sports team as a password

Please don’t use a sports team as a password

Video game titles make for bad passwords

Video game titles make for bad passwords

Movie names and famous media franchises are also terrible passwords

Movie names and famous media franchises are also terrible passwords

Using your own, or anyone’s, name in passwords is bad practice

Using your own, or anyone’s, name in passwords is bad practice