The Worst Passwords of 2024?
November 15, 2024 - Reading time: 17 minutes
NordPass has published their 2024 list of the 200 most commonly-used passwords and, apparently, many people still haven't gotten the memo about password security. Is one of your passwords on this year's list? Well, probably not. NordPass' data comes from a large database of passwords, presumably passwords that have been made public after online service data breaches. A closer look at the data gives some interesting insights into both the psychology behind passwords and websites' adherence to security "best practices." But it also raises some questions about the methodology NordPass used to generate the list. The closer I looked at NordPass' annual list, the more questions I had.
This year, NordPass' crown of dishonor goes to "123456" as the world's most common password in 2024. But is it really? In this article, I'll take a look at NordPass' data, which may not be quite what's on the label, and, just for fun, I'll compare it to some recent password data of my own, collected originally for my recent A Month of Bans article.
The Most Common Passwords
To develop their list of the top 200 most commonly-used passwords, NordPass compiled information from a large database of publicly-available passwords. According to their findings, "123456" is the most common password in 2024. This table summarizes their top 20, along with a few lower-ranked passwords that are interesting (and discussed below).
| Rank | Password | Count |
| 1 | 123456 | 3,018.050 |
| 2 | 123456789 | 1,625,135 |
| 3 | 12345678 | 884,740 |
| 4 | password | 692,151 |
| 5 | qwerty123 | 642,638 |
| 6 | qwerty1 | 583,630 |
| 7 | 111111 | 459,730 |
| 8 | 12345 | 395,573 |
| 9 | secret | 363,491 |
| 10 | 123123 | 351,576 |
| 11 | 1234567890 | 324,349 |
| 12 | 1234567 | 307,719 |
| 13 | 000000 | 250,043 |
| 14 | qwerty | 244,879 |
| 15 | abc123 | 217,230 |
| 16 | password1 | 211,932 |
| 17 | iloveyou | 197,880 |
| 18 | 11111111 | 195,237 |
| 19 | dragon | 144,670 |
| 20 | monkey | 139,150 |
| 50 | football | 59,656 |
| 69 | pokemon | 45,776 |
| 75 | 111222tianya | 44,313 |
| 87 | shadow | 42,744 |
But how current is this data? Unfortunately, we don't know. NordPass does not provide information about the timespan covered by their database. Looking through the passwords on their list, though, can give us some clues. And those clues suggest that the list may be based largely on old, maybe even very old, data.
How Current is NordPass' Data?
Number 19 on the list, "dragon," is an interesting standout. It's an uncommon word, but it features prominently in NordPass' database. It is possible that this password's inclusion is related to the April 2013 breach of Dungeons & Dragons Online, which compromised the passwords of 1.5 million accounts. If so, that suggests that at least part of the data for this list is quite old.
"I speculate that NordPass is using a mashup of passwords released from all known breaches, potentially going back for more than a decade ... If this is the case, then calling the list "The Top 200 Passwords of 2024" is quite disingenuous.
Even more revealing are the inclusions of "tianya111222" (number 75) and "pokemon" (number 69) on this list. The former is almost certainly due to the breach of the Chinese online discussion site Tianya in December of 2011. And while Pokemon is a popular game and media franchise worldwide, the latter is likely related to breaches of four different Pokemon fan and gaming sites (Pokebip, Pokemon Creed, Pokemon Negro, and Smogon). These four breaches compromised a combined two million passwords, mostly in plain-text, between 2014 and 2017.
Similarly, "monkey" (number 20), "football" (number 50), and "shadow" (number 87) might be related to more recent known hacks, between 2020 and 2023.
You might also notice that a large proportion of the common passwords are composed of only lowercase letters or only numbers. And seven of NordPass' top 200 have only five characters. These types of weak passwords would not be allowed by most online services today. In fact, it was as far back as 2014 that the US National Institute for Standards and Technology began recommending a six-character minimum length as well as "complex" passwords including numbers and special characters. (In an interesting twist of fate, NIST has since reversed this recommendation -- they now prohibit compliant sites from requiring complex passwords, though their guidelines today have more stringent password length requirements.)
Based on this reading of the data, I speculate that NordPass is using a mashup of passwords released from all known breaches, potentially going back for more than a decade. The earliest breach that the website Have I Been Pwned has archived happened in 2007, after all. If this is the case, then calling the list "The Top 200 Passwords of 2024" is quite disingenuous. NordPass uses publicity surrounding their annual password survey as a marketing tool to draw attention to its paid password manager service. That's fair, but it would be even more fair if the data were more up-to-date.
A compilation of known passwords that covers such a broad time range will necessarily be weighted towards old data. This is because years ago passwords were often stored in plain text or hashed using easily-breakable algorithms -- when a hacker gained access, they would be able to see or determine most or all of the passwords. As the years have progressed, though, so has data security. When hackers compromise a site today, even if they do gain access to password tables, the passwords are usually strongly encrypted and salted in such a way that the original passwords cannot be guessed. Since NordPass' data includes only known passwords, it must be heavily-weighted towards old data breaches.
...if Nord's list is actually an amalgamation of mostly-stale information, it is not, in fact, "The Top 200 Passwords of 2024."
After a data breach, companies typically require their users to change their passwords. In fact, this is mandatory under National Institute of Standards and Technology guidelines and the laws of some countries. You may have experienced the dreaded "Please change your password immediately" email yourself if you've had your data stolen in a data breach. Consequently, if NordPass' data goes back many years and spans many data breaches, most of it's "common" passwords no longer exist in currently-active password databases.
I still think there is value in the data presented by NordPass. It gives some very good insight into the psychology of self-selected passwords, for example. (That's a topic that I plan to cover in a near-future article. Stay tuned, especially if one or more of your passwords ends in the number 1.) However, if Nord's list is actually an amalgamation of mostly-stale information, it is not, in fact, "The Top 200 Passwords of 2024."
I reached out to NordPass for clarification about the freshness of their data (and other concerns), but they have not responded by the time of publication. If they do respond, I'll update this article accordingly.
Actual Hacker Passwords
On a more lighthearted note, just for fun I decided to compare NordPass' list of common passwords to a list of passwords that hackers have actually tried on my own servers. In an earlier article, A Month of Bans: A Cybersecurity Review, I discussed some of the malicious activity logged on my own servers during October, 2024. As part of that investigation, I logged failed password attempts against a honeypot mail server, including the passwords attempted.
These are the top 10 generic passwords that villains actually tried against my mail server in October and early November 2024, from a total of 1005 attempts (persistent, aren't they?). For this list, I only considered passwords at least 6 characters long that were not simply copies of the username the villain tried to use.
| My Rank | Password | NordPass Rank |
| 1 | 123456 | 1 |
| 2 | password | 4 |
| 3 | changeme | 169 |
| 4 | 123456789 | 2 |
| 5 | 12345678 | 3 |
| 6 | abc12345 | -- |
| 7 | 1qaz2wsx | 40 |
| 8 | 1q2w3e4r | 38 |
| 9 | 1234567 | 13 |
| 10 | abc123456 | -- |
This data is only based on about five weeks of intrusions on a single server, so it's certainly not definitive, but it does illustrate how prevalent the most common passwords are in actual dictionary attacks (brute force attacks that use a list of well-known common passwords -- maybe even NordPass' list). If you use a common password on a mail server, your account will be compromised.
So What Makes a Good Password?
You're probably expecting me to say that you should use a complex password with a mix of upper-case letters, lower-case letters, numbers, and symbols, but I'm not going to do that. Despite what many websites would have you believe, adding numbers and symbols to a weak password does not automatically make it more secure. "password," "password1," and "P@ssword!" are all equally weak to dictionary attacks. A mix of letters, numbers, and symbols will only strengthen a password if they are interspersed randomly. "r0aF7*3H%1#oyPSv" is a strong password. "1l0vey0u!" is not. In fact, the most recent draft of NIST's new guidelines prohibit compliant services from requirements like this:
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
The simplest and most effective way to increase password security is to choose a longer password or, better yet, choose a pass phrase made up of several words you will remember. "Banana bonanzas beget bad breath!" may be silly and hard to type of on a phone screen, but it's a very strong pass phrase owing to its length, orders of magnitude more secure than even "r0aF7*3H%1#oyPSv". To encourage the use of pass phrases, NIST's new guidelines also recommend (but do not insist) that sites require at least 15 characters and permit spaces.
If you're slightly more ambitious, using a password manager is even more secure. In fact, the whole reason NordPass publishes their annual list is to draw attention to their paid password manager. Password managers generate unique, strong, random passwords for every site you visit and remember them for you, though you can still choose your own pass phrases if you prefer. With a password manager, you'll never forget or duplicate a password again! As an added bonus, password managers can help protect you against phishing attacks -- they know better than to enter your password into a fake site without warning you. I'm not going to recommend any particular brand of password manager, but they're easy to come by these days -- the web browser you're using to read this article almost certainly has a free one built right in.
And, of course, you already know you should never reuse a password on multiple sites, right? ...Right? Seriously, don't do that. If you re-use passwords I can almost guarantee that you'll be a victim of a credential-stuffing attack sooner or later. And, honestly, these days there's no excuse -- a password manager can make reused passwords a thing of the past.
So, go and strengthen your password1s and your p@ss phr@s3s. Don't let yourself be embarrassed by the next "Top Passwords" list!
Copyright 2024 Steve Derby for The Status Line (https://www.statusline.org/)
passwordscybersecurityNordPass
🪛 📐 TOOLBOX 🔨 🔧
📬 SPF Record WizardThe spell trickles away to nothing. The merchant smiles. "Do you think you are the first magician to try to use lawless, thieving magic on a humble merchant?" He throws you into the street and bars the door.