Top Common Passwords in 2024 Revealed
It’s no secret that cybercrime is on the rise, and passwords that don’t stay secret are partly to blame; 81% of hacking-related breaches involve weak or stolen passwords. And, spoiler alert, “secret” is the #1 common password for personal use.
A November report from NordPass analyzed 2.5 terabytes of publicly available data, including data from the dark web, revealing the most common passwords used in the U.S. at home and work in 2024.
Read on to see if any of your passwords are on either of the lists, why they’re so easy to crack, and how to secure your passwords.
20 Most Common Personal Passwords
Each of these took less than one second to crack.
- secret
- 123456
- password
- qwerty123
- qwerty1
- 123456789
- password1
- 12345678
- 12345
- abc123
- qwerty
- iloveyou
- Password
- baseball
- 1234567
- 111111
- princess
- football
- monkey
- sunshine
20 Most Popular Corporate Passwords
These are similar to the ones people use in their personal lives, and all but number 13 took less than a second to crack.
- password
- 123456
- qwerty123
- qwerty1
- aaron431
- password1
- welcome
- 12345678
- Password1
- abc123
- qwerty
- 123456789
- jonathon (took 3 hours to crack)
- newpass
- Password
- sunshine
- 111111
- baseball
- maggie
- soccer
How Hackers Hack Passwords
Hackers use advanced software to test billions of combinations in seconds. Here are some of their methods:
- Brute Force Attack: The system tests every possible combination until the correct one is found. Simple passwords are cracked in under a second.
- Dictionary Attack: Hackers use lists of common passwords, often based on compromised databases. Words like “password” or sequences like “123456” are tested first.
- Password Spraying: This technique targets large numbers of accounts. Hackers try a single shared password against many user accounts to see if it works.
- Credential Stuffing: When hackers gain access to one account, they use the same credentials to try to access linked services.
- Phishing: Hackers trick email recipients into revealing their passwords by clicking malicious links or providing sensitive information on fake login pages.
Best Practices for Protecting Your Accounts
Hopefully, these steps to protect your passwords and data are second nature to you, but here is a quick reminder.
- Use strong and long passwords. Use a mix of upper- and lowercase letters, numbers, and special characters, avoiding common words or personal information. Ideally, passwords should be 12-16 characters.
- Don’t reuse the same password for multiple accounts. This limits the damage if one account is compromised.
- Use a password manager. These tools help generate and store secure passwords, eliminating the need to remember them all.
- Enable multi-factor authentication (MFA). Even if hackers obtain your password, a secondary code sent to your phone or email will block them.
- Update passwords periodically. Changing sensitive passwords at least every six months is a good habit.
Despite the best precautions, a single mistake can open the door to serious cybersecurity issues. That’s why providing managed phishing and cybersecurity awareness training services for employees is a must.
“In today’s digital landscape, end users need the skills and awareness to avoid falling victim to cyberattacks,” explains Jo Bradley, PrivaPlan’s Cybersecurity Literacy and Phishing Coordinator. “Simulated phishing and training provide real-world experience, empowering employees to recognize and avoid threats. The focus is on education, not entrapment, helping users build confidence and resilience.”
Cybersecurity Awareness Training is Vital
As cybercriminal activity and data breaches continue to rise, we know that up to 90% of breaches start with a phishing email, making your users the last line of defense. With our tailored Managed Phishing Testing & Cybersecurity Awareness Training service, we’ll help you navigate the complex world of cybersecurity while staying compliant.
