As each year rolls around, password lists are published by various companies looking to highlight the frequent, insecure passwords of the last twelve months. Many people do not take the time to update the default settings or just simply reuse the same password for everything. The common phrase heard is often “yeah, I’ve just had 3-4 passwords circulating since high school.” While this may be the easy way out, it is also the easiest way for threat actors to take hold of your account and gain access to data – both personal and work-related.

Having a password on the most-common list is setting up your accounts for easy attack. Avoid them and protect your data by using password managers, or a significant combination of randomized characters. If your password is on the list, it’s (finally) time to change your password. Let go of highschoolmusical2008 you.

Top 10 Most Common Passwords of 2022

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

20 Most Frequently Leaked Passwords on the DeepWeb in 2022

  1. 123456
  2. 123456789
  3. Qwerty
  4. Password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. Qwerty123
  11. 1q2w3e
  12. 1234567890
  13. DEFAULT
  14. 0
  15. Abc123
  16. 654321
  17. 123321
  18. Qwertyuiop
  19. Iloveyou
  20. 666666

According to Lookout, 80% of consumers have had their emails leaked on the darkweb. Passwords remain a security issue because they are part of the identity and authentication process used to protect information. User behaviors and human nature lend themselves to poorly crafted passwords.

Let’s face it, entering a 20 character password every time your computer enters stand-by mode isn’t the definition of convenience. Threat actors understand user tendencies and exploit those exact tendencies. A well-known hacking tool, John the Ripper, allows hackers to employ searches of every word in the dictionary, including foreign language dictionaries, plus commonly used examples like those from the list above.

While your company may have rules about how often or how complex your password needs to be (and great job to those security teams), many of us still don’t employ these rules in our personal lives. Pause for a moment and consider how many applications or websites you’re logged into at any moment. A breach in any one of these could be the downfall of many other accounts. The majority of threat actors and criminals are merely looking to profit from your information, but the cascading damage to your data, finances, and daily routine can be devastating.

What Really Makes a Good Password Anyways?

The complexity of a password by itself isn’t exactly enough. The best passwords are also difficult to guess. More often than not, passwords consist of some home address, child or spouse’s birth date, favorite color (87% of people choose blue, by the way), favorite pet’s name, etc. These bits of information are easy to find, connect and exploit through social media or other platforms where most people display prominent information about their daily lives.

In the most technical sense, passwords are one part of a greater set of access control measures. Most sites require credentials which you know as a username and password, plus occasionally a validation email or text code which authenticates that you. The password remains the weak link in the chain. Email addresses are typically static and easy to guess but they aren’t always used as a user name/ID. Randomly generated codes are just that: random, and lends them to be difficult to exploit. Two factor authentication is a standard way to help mitigate password compromise, but isn’t always practical or well-adopted across the board.

Ultimately though, good password practices can be difficult to effectively implement at the end user level. Complex passwords with expirations tempt people to write those passwords down somewhere. Is it time we consider the use of a good password manager? (Yes)

One of the biggest threats from a password perspective is credential stuffing, where a bad actor obtains leaked credentials from a compromised site, then uses those credentials to attempt logins at other sites. If every account you have uses a different password, then only the original leaked credential is a risk.

For highly important accounts, MFA (multi-factor authentication) should be enabled. This is another good deterrent to the credential stuffing problem. Microsoft once proposed that password expiration be dropped as a requirement. The argument being, if you use unique passwords for every site, passwords that are sufficiently long and complex along with a password management tool, and MFA on important accounts, then there really would be no need to have those passwords expire.

Generally, good password management requires frequent changes of passwords and enforcement of quality passwords which are at least eight characters or more. Passwords with less than eight characters are often defeated by hacking tools in less than five minutes.  Educating employees and users is a constant struggle, but is worth the effort. Automated prompts to employees to require password changes is a great step in the right direction. Experts recommend the following practices to avoid weak passwords and employ best practices with securing your accounts.

Good Password Practices

  • Use pass-phrases or complex passwords with more than 8 characters. Complex passwords include:
  • Randomized use of capital and lowercase characters 
  • Special symbols such as #, &, %, $
  • At least one number
  • Change passwords every 6 months and anytime you suspect a potential compromise
  • Educate employees & family members
  • Change the default password for devices and accounts
  • Consider the use of password managers
  • Implement different passwords for different accounts

Bad Password Practices

  • Don’t use password or any other form of passw0rd as your password or any of the commonly used passwords listed earlier
  • Don’t use common information that can be easily guessed (such as first/middle/last names or birthdays)
  • Don’t use the same password for multiple accounts (admin and user accounts need different passwords; HR and Financial records systems need different passwords, too)
  • Don’t write down passwords and leave them in an easy to find places (like under your keyboard)
  • Don’t share passwords with untrusted sites, sources or personnel

Curious for more? Check out our free community resources to know if your account has been compromised, analyze fraudulent domains, and see hundreds of blacklisted IP addresses collected from our honeypot system.

Further Resources