By now, everybody should be using a password that looks like, well, gibberish — something like s;3HiMom!&%k#$l. Actually, given the increasing sophistication of attackers, that one might soon be a few characters short of providing real security.
With tools like password sprayers easily available to malefactors, it’s time to look at what you and your company should absolutely not be using as the key to your accounts and your organization’s data trove.
The world’s most common passwords
Thankfully, password manager NordPass is out with its annual ranking of the world’s 200 most common passwords. Heading up this year’s invidious class is, you guessed it, “password.” Beating out 2021 and 2020’s winner is “123456.” This may look bad, but there is some improvement: In 2019, it was “12345.”
The NordPass list parses passwords by country, gender and things like the average time it takes to crack them. In the U.S., the most common password of 2022 was “guest” with “password” coming in fourth place. “12345” and “123456” are also on the list.
Additionally, the ranking includes an estimate of the time it would take to crack most of these codes, which was under one second. Number nine on the global list, “col123456,” would take a whopping 11 seconds to hack. Worldwide, the other most used passwords included “qwerty,” “guest,” and “111111” (Figure A).
How NordPass conducted the study
Karolis Arbaciauskas, head of business development at NordPass, explained that the company partnered with independent researchers, who found a 3TB size database full of leaked passwords, which he described as “a solid basis to evaluate which passwords are, year after year, putting people in danger online.”
He said “password” was found over 4.9 million times in the database and that compared to the data from 2021, 73% of the 200 most common passwords in 2022 remain the same.
“Since we know these passwords appeared among leaked ones, we would avoid many cybersecurity incidents if people stopped using them,” Arbaciauskas said.
Poor password hygiene is a widespread problem
Carl Kriebel, shareholder of cybersecurity consulting services at global accounting firm Schneider Downs, said poor passwords are indeed a ubiquitous problem.
“In the 75 or so penetration tests we do per year, passwords are consistently the weak link in the chain more often than not,” he said, adding that even though protocols like fry/fail lockouts may only lengthen the time attackers need to infiltrate, that makes a difference.
“Like everyone else, attackers are measuring ROI, including time,” Kriebel added.
Ready access to things like password spraying technology reduces that time to nearly zero for accounts with common codes and easily guessable passwords, so remediating that issue across an institution is the first order of effort, he noted.
“If we can quickly password spray our way in, then obviously there’s a policy problem,” Kriebel said. “Every organization should have try/fails and then lock the password — even for an hour.”
Secure your data according to these guidelines
At this point few companies should be using single-factor authentication.
“We highly encourage remote access multi-factor capability,” Kriebel said. “If not, or if an organization has a broad-based network where applications are multifaceted with numerous entry points, our recommendation is instituting a standardized policy for password setting with a far higher threshold.”
Additional security recommendations for your organization
- Change passwords, rotate them and reset them on a regular cadence.
- Use passphrases — not passwords.
- Companies should do risk discussion about how the organization should embrace policies around passwords; don’t just put the onus on the CIO.
- Implement password blacklists.
- Every company should have some form of try/fail password locking.
Eight characters is seven too few
Kriebel said institutions need to advocate for complex passwords — not just by increasing the mix of characters, symbols and numbers, but by increasing the character count too. Many people still use just eight characters, but that is nowhere near enough, he said.
While advocating for implementation of 15 character passwords, Kriebel concedes that formalizing stronger policies requires a certain amount of organizational fortitude, because companies don’t want to be burdensome to the point at which people push back.
“Even simply adding characters makes it exponentially more difficult to hack passwords,” Kriebel added.
Passphrases are better than alphabet soup
Even better: Passphrases, even apparently obvious ones, are extremely difficult to hack. Kriebel said that even with the tools hackers currently have at their disposal even something as simple as “Mary had a little lamb” is hard to crack.
“If you make a very simple alteration to that phrase, removing the space between ‘a’ and ‘little,’ for example, the passphrase becomes almost impossible to crack,” Kriebel said.
Kriebel recommends companies move to obtain password blacklists and make prohibition of their use part of their security policy, which is a more recent development in defensive tactics. Further, organizations should make sure these lists don’t contain merely generic, common passwords, but also those with cognitive connections around obvious things like a company’s location.
Arbaciauskas said a multiple-step approach is the key to organizational security. Businesses need to set cybersecurity policies in their organization, have specialists responsible for their implementation and keep the employees educated about the cybersecurity risks faced. Companies also need modern technological tools to help secure accounts.
“Password managers allow not only secure password storing but also sharing among employees,” Arbaciauskas said.
Password generation tools offered by many password managers automatically create strong and unique passwords consisting of random combinations of letters, numbers and symbols.
“By using password managers, companies prevent themselves from human mistakes — the creation of easy passwords and their reuse,” Arbaciauskas added.
To learn best practices to strengthen your password protection protocols, download our Password management policy .