According to NordPass’ latest list of top 200 most common passwords in 2022, “password” is the most popular choice, followed by “123456”, “123456789”, “guest” and “qwerty“.
2022 is ending and 2023 is almost upon us, but despite yearly entreates to users to up their password game, weak and often (re)used passwords are obviously still a problem.
Common passwords depend on users’ language and culture
The entire list of top 200 most common passwords in 2022 can be viewed here, and the passwords have been also categorized by country to show more localized (poor) choices.
Even a casual survey of each of those lists shows specific tendencies: people choose passwords based on what’s easy (e.g., “qwerty”), what they like (movies, sports, food, fashion brands, artists, etc.), and what’s popular (at the time or in general). Also, they like using first names and swear words as passwords.
As was previously noted by other researchers, language and culture affects how users in different countries choose passwords.
The various lists also reveal some unusual popular password choices. For example, number 21 on the top 200 global list is “D1lakiss” (an expression for which no obvious reference can be find online). Even weirder: number 1 on the Israel top 200 list is “sha256” (SHA-256 is a hash algorithm/function). Why would anyone who knows what a cryptographic algorithm is chose that particular expression as an (extremely weak) password?
But setting aside these and several other peculiar entries that might suggest these lists – though “compiled in partnership with independent researchers specializing in research of cybersecurity incidents” – do not reflect accurately the situation on the ground, I think there can be no doubt that too many people make poor password choices.
The whys behind poor password choices
There are many reasons, but most of them can be boiled down to users either:
- Not caring about digital security
- Not knowing enough about technology and digital security to make the right choice
- Being discouraged and thinking that no matter the good security choices they make, some things are out of their hands (think: data breaches and theft of poorly encrypted passwords)
Since making secure choices while going about our digital lives is often made difficult by digital gatekeepers, lecturing users on poor password choices seems like a futile endeavor. Nevertheless, users should strive to make the best security choices they can make.
In regards to passwords, this still means:
- Choosing a unique, complex and long password for each account
- Deleting accounts you are not using anymore
- Regularly checking if any of your passwords has been compromised
- Opting to use a password manager to come up with, save, and use a multitude of unique, strong passwords. (A password manager also offers protection against phishing: if you have memorized credentials related to a particular online service, it will refuse to enter them in a lookalike website)
Passwords are an imperfect but still widespread solution for digital authentication. Until we all go passwordless, making an effort to make good password choices and opting to enable 2-factor authentication where possible can help you avoid many problems.