If your password made this list, it’s time to change it

Analysts at NordPass, the password-management services arm of digital security company Nord Security, analysed a 4TB database from across 50 countries, drawn from independent cybersecurity researchers, to create its list of 200 most commonly used ones. The list, released in November, is up on nordpass.com, so everyone can try and do better.

At the top of the global list are gems such as 123456 (used over 100 million times in 2021); 123456789 (46 million times); 12345 (32 mn); and qwerty (20 mn). These are all passwords that would take a hacker less than a second to crack.

An unusual variant, at #66, is the name Michael. Is he going around breaking hearts or taking hostages? Who knows. Names are used frequently as passwords, but most countries have a distinct list of favourites. Superman, samsung and fuckyou are among the other surprises on the NordPass global 100.

DIL HAI HINDUSTANI?

Each country has a telling list of specific passwords that are poor as far as password strength go. In India, such passwords include india123 and Indya123; names such as priyanka, sanjay, rakesh; and, particularly among women, terms of endearment such as sweetheart, lovely, and iloveyou.

In the UK, a corresponding list features liverpool1, arsenal1 and Chelsea; in France, it’s tiffany, loulou, marseille, and doudou. Loyalty and love are all very well, but they make for very poor passwords, analysts say.

So, decades into the internet revolution, why are we still going so wrong? Part of the problem is the sheer number of passwords now required by the average individual. This creates a sort of hierarchy of security efforts. One strives to protect one’s email IDs and social-media accounts, but then there’s Netflix and Amazon, grocery platforms and ticketing apps. According to NordPass, the average person uses between 80 and 100 platforms that require passwords.

This means that “unless you have a clear system, or use a password manager, there is no way to memorise all of these passwords if they are indeed lengthy and secure,” says Gediminas Brencius, head of product at NordPass. “That’s why people tend to go with easy-to-remember passwords such as 123456 or their own name, at least some of the time.”

OVER AND OVER

This year marks NordPass’s third annual list of most common passwords. Previous lists of passwords that were most insecure, most hackable etc, dating back to 2011, all show similar patterns, however.

“Clearly, human beings think very similarly when it comes to tackling this problem,” says Shivani Singh, digital security and operations manager at the digital advocacy group Internet Freedom Foundation. “Another thing that people still do is use personally identifiable information in their passwords, like a birthday or a pet’s name or an anniversary, information than be accessed in the public sphere, which makes it susceptible.”

A third bad practice is the repeat and reuse of passwords. It’s tempting to do, especially when the site one is signing up on seems relatively risk-free, say, a free game or sleep tracker.

It’s important to remember, Brencius says, that there’s a lot at stake here too. For one thing, in doing this, one jeopardises all the other accounts using that password. “Platforms that don’t hold a lot of sensitive information often have laxer security measures. So there is a higher chance that this account would get hacked or that the password / login combination could be used in credential-stuffing attacks (where hackers use compromised credentials to breach another system).”

NordPass, of course, recommends using NordPass for best results. But various other password manager tools are available. Or, you could just use your imagination. “Just make sure passwords are strong and unique,” Singh says. “People are now using passphrases, for instance, like a favourite quote or lyrics from a song.”