Weak passwords continue to be a problem on today's Internet. It seems that many users continue to pick weak passwords that were weak 20 years ago and continue to be the weakest of the weak. It is probably part convenience and part not-knowing-better that play a role here.

NordPass has released its six annual password report of the top 200 most common passwords. The company has analyzed a 2.5 terabyte database that it "extracted from various publicly available sources".

Note: It is likely that NordPass could not crack the entire list of passwords. With that said, if one of your passwords is found on such a list, you better change it immediately to something more secure.

The top 10 of all countries looks like this:

1. 123456
2. 123456789
3. 12345678
4. password
5. qwerty123
6. qwerty1
7. 111111
8. 12345
9. secret
10. 123123

You can check out individual lists of 44 countries or the same for corporate passwords, which NordPass lists in a separate list.

All of the non-corporate passwords that make up the top 10 are cracked in less than one second according to NordPass.  The other 190 passwords use a similar scheme and most are also cracked in less than a second. While numbers and qwerty dominate, there are also single words and even some passwords that are more complex on the list.

Related Content:

How long does it take to crack a password in 2024?

You find tag12wsx in position 30. It was found more than 90,000 times according to NordPass. Other examples include 111222tianya, found more than 44,000 times, and chesse, which was found more than 23,000 times.

If you take a closer look at the passwords, you may notice the absence of symbols. While there are one or two passwords with an @-symbol, some with !, and g:czechout, which takes the longest to crack on the entire list, there is almost no symbol used in the entire list.

The second interesting takeaway is that there are barely any uppercase letters. The first uppercase letter ins found in Password, which is at position 26. The next is Qwerty123 at position 36 and Qwerty123! at position 46.

To sum it up:

• The most common passwords use lowercase letters and numbers only for the most part.
• Symbols and uppercase letters are nearly absent in the entire listing.

NordPass' findings:

• The password 123456 is still the world's worst password.
• Corporate passwords and non-corporate passwords are not that different in terms of security.
• There seems to be no improvement when compared to six years ago.

The list highlights a problem, but it is not yours

NordPass suggests that users can improve their password security by using a password manager. That is the main takeaway from all weak password listings.

Unless you are really good at remembering strong unique passwords, password managers are the best option. There are plenty of free alternatives.

There is KeePass, which continues to be my personal favorite app, and also BitWarden, which is also excellent and open source. It depends on your personal usage scenarios.

The main benefit of a password manager is that it generates and stores as many strong unique passwords as you require. BitWarden is a little bit easier to use if you need syncing, but both support this in one form or another.

Good news is that you may start right away, if you have not done so already. Most regulars here on Ghacks are probably using a password manager or multiple managers already. It takes a few minutes to download a password manager and install it. Many support imports from browsers and several other apps. You may need some time to change weak to secure passwords, but the heavy lifting is done by the password manager.

Passkeys, an upcoming standard that replaces passwords with keys that are stored on the user's devices, won't replace passwords anytime soon. Adoption is picking up pace, but it is still slow. Many Internet services, systems, or apps do not support the standard yet. Many Internet users may find it too complex of a system to use, at least in the coming years.

What is your take on this analysis? Do you use weak passwords sometimes, or do you use highly secure passwords even for throwaway accounts? Feel free to leave a comment down below.