Nordpass annually publish a list of the 200 most common passwords in the world, based on research from 44 countries. In this blogpost we present this year’s results according to 2024 research and explain how hackers exploit the fact that many people make use of common passwords and/or reuse their own passwords across websites. Maybe these passwords are being used by someone in your organisation?
Table of contents
The most common passwords in the world
We won’t list all the 200 passwords here and call it a day, instead we will present the 10 most common passwords and give you a detailed overview of the general tendencies of the remaining list. If you are interested in reading the complete list, you can visit NordPass – where you can also compare passwords between countries and genders.
Without further ado, here are the 10 most common passwords of 2024.
The 10 most common passwords globally
The 10 most common (and worst) passwords were counted 280 million times combined during NordPass’ research:
-
123456 (same as in 2021)
-
123456789 (same as in 2021)
-
12345678 (in 2021: 12345)
-
password (in 2021: qwerty)
-
qwerty123 (in 2021: password)
-
qwerty1 (in 2021: 12345678)
-
111111 (same as in 2021)
-
123123 (same as in 2021)
-
1234567890 (same as in 2021)
-
1234567 (same as in 2021)
These 10 passwords give us a taste of what the rest of the list has to offer as well. In fact, two thirds of the 200 most common passwords are different combinations of numbers and letters which lie next to each other on the keyboard. However, you don’t have to scroll too far down the list before you find some passwords which might surprise you.
General tendencies among the 200 most common passwords
When analysing the list, we found some patterns and recurring themes. There is however one password, which did not relate to any of these themes, but is still worth mentioning: “monkey”. This password can be spotted on most of the lists of common passwords over the last years, and it ranks surprisingly high on most of them.
Except for this honourable mention, we found that most of the remaining passwords could be placed into one of the following four groups:
Positively loaded words and phrases
Even though there are a few swear words on the list, they are by far outnumbered by positively loaded words and phrases. Some of the most popular ones are:
-
iloveyou (18th vs 22nd in 2021)
-
princess (52nd vs 61st in 2021)
-
sunshine (57th vs 65th in 2021)
- chocolate (146th vs 161st in 2021)
-
freedom (199th vs 156th in 2021)
Fun fact! When we compared men and women’s passwords, we found that the list of women’s passwords contained five times more of these words than the list of men’s passwords.
Although the password "iloveyou1", which ranked in 122nd place in 2021, has moved out of the top 200 in 2024, the rest of the above mentioned list does not indicate that people have learned not to use easy-to-guess passwords.
Sports related words
Another tendency on the list is words related to sports:
-
football (50th vs 60th in 2021)
-
baseball (64th vs 91st in 2021)
-
soccer (89th vs 95th in 2021)
- liverpool (105th vs 121st in 2021)
-
jordan (113th vs 110th in 2021)
-
basketball (141st vs not on the list in 2021)
- chelsea (195th vs not on the list in 2021)
We are once again confirming gender stereotypes: Men have 14 such passwords on their list – women only 4.
The password "football1" ranked in 153th place in 2021, but has moved out of the list in 2024. The same tendencies are seen here as in the category of positively loaded words and phrases.
First names
…the most common being:
-
michael (70th vs 66th in 2021)
-
daniel (74th vs 69th in 2021)
-
michelle (102nd vs not on the list in 2021)
- charlie (104th vs 96th in 2021)
- jessica (114th vs 99th in 2021)
-
ashley (122nd vs 88th in 2021)
Words related to fictional universes
One last tendency on the list is words related to fictional gaming, cartoon or movie universes:
-
dragon (20th vs 38th in 2021)
-
superman (66th vs 81st in 2021)
-
pokemon (69th vs 111th in 2021)
-
starwars (112th vs 166th in 2021)
- naruto (137th vs 135th in 2021)
How hackers exploit weak passwords
The use of common and weak passwords can pose a significant security threat for both private individuals and organisations. According to Verizon’s 2023 Data Breach Investigation Report, 86% of security breaches involve the use of stolen credentials. Two common hacking techniques which exploit the fact that many people use weak passwords are password spraying and credential stuffing.
Password spraying
One of the methods hackers use to get unauthorized access to accounts and systems is password spraying. The reason why this type of attack is successful is because many people use common passwords. To execute a password spraying attack, the hackers need a list of usernames (e.g., email addresses) and a list of common passwords (e.g., the passwords mentioned earlier in this blogpost). After this they try one password (e.g., qwerty) against all the usernames on the list, before moving on to the next password. If the hackers tried many passwords against one account before moving on to the next account, they would risk being caught and denied access to the account due to too many failed login attempts. The hackers therefore avoid being caught by focusing on one password at a time over a longer period.
Credential stuffing
Another common hacking technique is credential stuffing. According to LastPass’ Psychology of Passwords report from 2022, 62% of people always or mostly use the same password or a variation. This is exploited by hackers in a credential stuffing attack. Before such an attack, the hackers have gained access to a set of credentials through e.g., a data breach or a phishing attack. These credentials are then used to gain access to the victim’s accounts.
Example of a credential stuffing attack:
Let’s imagine that one of your co-workers fell victim to a phishing attack, and that the cybercriminals behind the attack now have access to your co-worker’s login information (username + password) for their private email account. Not only will the cybercriminals now have access to this account – they can also perform a credential stuffing attack by trying this username and password combination on other websites and systems as well. If your co-worker reuses his/her passwords across these websites, the cybercriminals might gain access to several of your co-worker’s accounts. This can in turn lead to identity theft and major financial loss. And, if your co-worker uses the same passwords for their private accounts as for their work accounts, the consequences could be significant for the company as well.
How to improve your password security
Every day we log in to a number of websites and services which require a password. Over the years our passwords might become too many to remember. It is therefore easy to fall for the temptation of using simple passwords and reusing passwords across accounts. In fact, LastPass’ 2022 report shows that 62% of people who reuse passwords do so because they are afraid of forgetting them. But, as we have seen, such behaviour can be a great vulnerability for you and your company. Luckily, there are several tools and tips which can help you improve your password security!
On our blog, you can read about:
- How to create strong and unique passwords that are easy to remember
- What a password manager is and how it can help you keep your passwords strong and safe
- Why you should consider using two-factor-authentication
If you are interested in increasing the password security in your organisation, you can check out our course about password security here.
Awareness training can also be a great way to increase password security, as it helps the employees become more aware of their behaviour and creates a good cyber security culture in the organisation.
