Every year, NordPass’ list of the most common passwords reveals a troubling lack of creativity and security awareness among internet users, and 2024 is no exception. In fact, this year’s list might be the worst yet. The passwords are so predictable they seem to suggest people are either overly reliant on two-factor authentication or simply don’t care about protecting their accounts. This complacency leaves personal information vulnerable to increasingly sophisticated cyberattacks and the growing computation power of today's GPUs to hack passwords by brute force.
NordPass’ annual study, now in its sixth year, analyzed a database of leaked credentials to compile the Top 200 Most Common Passwords. The research spans both global trends and country-specific findings, including the United States. The results, compiled with the assistance of independent cybersecurity researchers, highlight just how quickly these weak passwords can be cracked – 78% of them in under one second.
Read more: New Password Guidelines Issued for Staying Ahead of Hackers
Keyboard patterns dominated the most common password lists. Globally, nearly half are made up of the easiest keyboard combinations, such as sequential numbers and “qwerty” patterns.
The ten worst passwords in the U.S.
Here are the most common passwords Americans used in 2024 – and why they’re so insecure:
- secret – A uniquely American favorite that’s deceptively simple to guess.
- 123456 – This sequential string remains a perennial offender, showing no signs of disappearing.
- password – The classic weak choice that hackers are always ready for.
- qwerty123 – A false attempt at complexity using a common keyboard pattern.
- qwerty1 – Another keyboard combination that’s easy to type and crack.
- 123456789 – Adding more digits doesn’t make it stronger; it’s just as predictable.
- password1 – A minor variation on “password” that provides no meaningful protection.
- 12345678 – Similar to “123456,” it’s just a few numbers longer and equally vulnerable.
- 12345 – Short, simple, and one of the easiest to hack.
- abc123 – The quintessential beginner password, popular but entirely insecure.
How to break the bad password habit
This year, we saw a big push from companies to encourage consumers to switch over to passkeys – and for good reason. I highly recommend switching to passkeys wherever possible. Unlike traditional passwords, passkeys are immune to phishing and mitigate many of the risks of hacking and theft. They leverage biometric data or cryptographic keys to authenticate users, making them far more secure.
Read more: Passkeys: Use This Secure and Convenient Alternative to Passwords
For sites and services that don’t yet support passkeys, a password manager is your next best option. A password manager can generate and store unique, random passwords that are nearly impossible to crack. Ideally, your passwords should be at least 16 characters long, combining letters, numbers, and symbols. NordPass is a highly secure and user-friendly password manager that I feel comfortable recommending, along with 1Password. Google Password Manager and Apple Password are excellent free options but lack cross-platform support and more advanced features, like secure notes, payment information, and file storage.
Read more: Apple Passwords vs iCloud Keychain: What’s Changed with iOS 18?
If your passwords resemble anything on the list above, it’s time to take action. Change your “bad” passwords, adopt passkeys, and use a password manager. The small effort it takes to upgrade your password habits now will pay off in the long run.
[Image credit: laptop with password sticky note concept generated by DALL-E]
Suzanne Kantra founded Techlicious 15+ years ago and has been covering consumer technology for more than 20 years. She was the Technology Editor for Martha Stewart Living Omnimedia, where she hosted the radio show “Living with Technology," and served as Senior Technology Editor for Popular Science Magazine. She has been featured on CNN, CBS, and NBC.
