A logo for soteria technology solutions with a spartan helmet

The Worst Passwords of 2023

December 26, 2023

This year's list of the world's most common passwords is out!

Is your favorite on the list?

NordPass just released their annual list of the Top 200 Most Common Passwords! Now, if you've never seen it, every year NordPass partners with cybersecurity researchers to go over several terabytes of stolen password data, all publicly available, to look for the most commonly used passwords worldwide.  Will there be surprises this year?  Let's find out!

Top 10 Most Common Worldwide

  1. 123456
  2. admin
  3. 12345678
  4. 123456789
  5. 1234
  6. 12345
  7. password
  8. 123
  9. Aa123456

Top 10 Most Common in the USA

  1. 123456
  2. password
  3. admin
  4. 1234
  5. UNKNOWN
  6. 12345678
  7. 123456789
  8. 12345
  9. abc123

Congrats 123456 for winning again! The undisputed King of Bad Passwords, 123456 has held the crown 4 out of the last 5 years. Otherwise, looks like a lot of old favorites here!  UNKNOWN is an interesting addition, and the only one on either list that NordPass estimates would take longer than a fraction of a second to crack.  (At 17 seconds, it's still not great, and being on this list means it's one of the first someone will try in a brute force attack so this is hardly a recommendation.)


Hopefully it goes without saying that all of these are laughably terrible passwords and we should all know better but here is proof that over 4.5 million people are still rocking 123456 in 2023. 


Something new that NordPass did this year, was to look at how password trends diverge depending on what sort of thing they are used for. They compared Ecommerce, Social Media, Financial, Email, Gaming, Productivity Tools, Smartphone, and Streaming.


So what can we learn here?


Ecommerce - Please don't use the name of the shopping site as your password.  Apart from variations on 123456, amazon was the top used password in this category.  amazon123 and Amazon@123 are also really high on the list, so please please please just do not.


Social Media - This one seems heavy on numerical passwords.  I see you 1122334455, you are not fooling anybody.


Financial - You guys, this is your money! P@ssw0rd and paypal123 are not going to cut it. Batman11 is surprisingly common here too.


Email - Considering how many of us still have the email addresses that 14 year old us though were cool, I expected to see some goofy stuff here, but it was surprisingly tame. ****** , lol12345, and fortnite stood out.


Gaming - Maybe due to inputting these on a controller instead of a keyboard, most of these are numerical or a variation on qwerty.  Up your game, gamers.


Productivity - Not at all surprised to see Zoom2020 high on this list.  BTW, changing the year on that one doesn't make it any better.


Smartphone - Using the phone name is a big trend here. Apple2020, Samsung1, Iphone1234, etc.


Streaming - NordPass even noted that people seemed to be strong password haters in this category. They are really short and really basic, even compared to the Top Ten.  Let's try to do better than netflix or 101010, mmmkay?


Check out the list for yourself

As fun as it is to make fun of bad passwords, how do you make sure yours are good?

I'm glad you asked.  I did a whole blog series about that a while ago, that you can visit here:

Bad Passwords 2021 Bad Passwords 2: what makes a good password? Bad Passwords 3: MFA Bad Passwords 4: SSO


That said, here's the TL;DR:


  • Get a password management program.  Some good ones include 1Password, Keeper, and yes, NordPass. They can help you generate good passwords and store them for you so you only have to remember your master password. Some will let you know if your password has been leaked on the dark web, and can suggest when it's time to update.
  • Don't reuse passwords across sites. Don't even use a variation.  If one gets leaked or hacked, they are all at risk.
  • If you don't have a password management program, learn how to make good passwords. Check out #2 in our blog series, it talks about what makes bad passwords bad, so we know what common pitfalls are and how to avoid them.
  • Go through your passwords every once in awhile, and change out any old, sad ones.
  • Use MFA (Multi-factor Authentication) if possible, especially for financial or other important sites.

This post, like all our posts, is 100% written by a human.

Share this Post

A woman hides her face behind a library book
December 10, 2024
A rare win this month, these scammers are in trouble.
a book with fanned pages and blurry background
By Erin Patten November 20, 2024
Revisiting the Ghost Books Scam - with real-world consequences.
The insightly podcast logo
November 1, 2024
Tariq talks all things cybersecurity with the podcast hosts Alyssa and Jordan.
the silhouette of a woman's face is covered with a projection of green computer code
September 30, 2024
A freely accessible database containing full background data for about a third of all Americans was just uncovered on the internet.
A new two-story home with a soft pink and blue sunset in the background.
August 28, 2024
Real Estate scams and wire fraud costs Americans hundreds of millions of dollars every year. One victim shares her story.
A 19th century engraving of three rough and hungry looking children searching for potatoes.
July 24, 2024
A look at what insights history can offer us about how things like this happen.
A closeup photo of a boxer's shoulders and arms. They are wearing black boxing gloves.
By Erin Patten July 8, 2024
Gigantic password leaks keep rolling in; and they keep getting bigger. How can you keep your accounts safe?
A screenshot from KSN Channel 3, of a newscaster speaking in front of a screen showing computer code
June 24, 2024
Cyberattacks have led to an outage in the software car dealerships across North America use to run their operations - making dealerships rely on pen and paper again, and putting untold amounts of personal data at risk.
A robot hand explores a blue imagined universe of connected webs of dots
By Erin Patten June 17, 2024
Researchers recently proved that GPT-4 can find and exploit unknown security weaknesses - by itself. It's a whole new world for cybersecurity.
More Posts
Share by: