The most popular passwords of 2023 are easy to guess and crack

Each year, analysts at various Internet security companies release lists of the most used (and known) passwords. These lists are based on leaked password database data.

The passwords that are on these lists may act as a warning for any Internet and electronic device user. It should have the title "don't use these passwords", but is it really that simple?

Some common passwords have been used for ages and they continue to be used. Are users really resistant to improving their online security?

NordPass' Top 200 Most Common Passwords list

NordPass released a list of top 200 common passwords last month. The company states that it compiled the list "in partnership with independent researchers". The analysis extracted passwords from a 4.3TB database that has been fed with data from publicly available sources.

The top 10 could be from any year in the past 20 years:

1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890

Mostly numbers in the top 10. The strings "admin" and "password" are common default passwords for certain devices, but they are also widely used by users.

You may wonder about some other passwords that you expected to be higher on the list. The popular "qwerty" password is on position 25, There is also "admin123" on 18, "user" on position 20 and "demo" on position 44.

All of these passwords have in common that brute force cracking runs take less than 12 seconds to find these passwords. The first password that requires a longer attack is "Eliska81". It is at position 40 and requires 3 hours to get cracked.

Another common type of password appends "@123" to a basic name. The list contains several examples of that, including "India@123" and "admin@123" as examples. These do take 3 hours to brute force as well.

Hasso Plattner Institut: most popular German passwords

The Hasso Plattner Institut releases its list of the most popular leaked passwords in Germany each year. The data comes from publicly available sources.

Here is the top 10:

1. 123456789
2. 12345678
3. hallo
4. 1234567890
5. 1234567
6. password
7. password1
8. target123
9. iloveyou
10. gwerty123

These passwords are not particularly difficult to crack either.

Are there explanations for the continued use of weak passwords?

Most of the popular leaked passwords have one thing in common: they are easy to remember and to type. Computer and electronic device users who don't use password managers have a tendency of selecting weaker passwords. Many reuse the same password over and over as well, which makes them a lucrative target.

It would go too far to classify all of these users as resistant to learning and be done with the analysis.

One explanation for the continued use divides accounts into important and unimportant ones. Important accounts benefit from improved security. These can be banking or finance accounts, social media accounts, gaming platform accounts or shopping accounts.

Services that don't require as much security may include throwaway accounts. Many sites require registration before content can be accessed. If you just want to access content once, you may not spend much thought on a secure password.

Similarly, any account that is not really linked to a user's identity and "read only" may not require a Fort Knox grade of security.

Another explanation looks at the leaked password databases. It is easier for analysts to brute force weak passwords or use dictionaries to identify previously leaked cleartext password.

The result needs to be put into relation to the entire list of passwords. Is the percentage of passwords that the analysts could not create stagnating, decreasing or increasing?

What you may do to protect all of your accounts

The most common advice is to use a password manager. These are available as free and paid solutions, and have varying degrees of comfort and feature support.

Some passwords managers are available on nearly any platform. Bitwarden is such an example, but there are others.

While it takes a bit of effort to get the password manager installed on all devices, everything after the initial setup is almost automated. When you create a new account and password on one device, it gets synced to all other devices automatically.

There are limitations. You can't run (most) password managers on Smart TVs, which makes typing streaming service account passwords that are secure a nuisance.

Still, with a password manager, you may create unique strong passwords for any service. Even your throwaway accounts may never be cracked then, which is not too bad of a thing if you think about it.

Passkeys is an upcoming standard that won't replace passwords entirely, but in some places. The system relies on local cryptographic keys that don't require a user password anymore. Users authorize sign-ins and requests with their PIN, biometrics or hardware keys, such as Google's Titan security key.

Now You: how do you handle password security on your devices?

Source