Study reveals shocking list of the most common corporate passwords
An analysis of password habits by cybersecurity firms NordPass and NordStellar found that “123456” is the most commonly used password in the world, despite taking hackers less than a second to crack. Further, it's been the most common password for five out of the last six years, losing only once to “password”—which, in 2024, ranked fifth.
“After analyzing 6 years' worth of data, we can say there hasn't been much improvement in people's password habits. So, despite many organizations' efforts to spread awareness, the problem is still as prevalent as ever,” the report reads.
For their new report, “Top 200 Most Common Passwords,” NordPass and NordSteallar examined more than 2.5TB of login credentials, including information leaked on the dark web from various network breaches. Their analysis included passwords used both at home and in corporate settings; however, the distinction between the two was, alarmingly, minimal.
“If you check out the top 10 most common personal passwords and compare them to the corporate list, you’ll notice they’re nearly identical. This highlights that people tend to rely on the same weak passwords for both their personal and work lives,” the authors wrote.
The top 20 most common passwords used in a corporate setting are:
- 123456
- 123456789
- 12345678
- secret
- password
- qwerty123
- qwerty1
- 111111
- 123123
- 1234567890
- qwerty
- 1234567
- 11111111
- abc123
- iloveyou
- 123123123
- 000000
- 00000000
- a123456
- password1
All 20 are easily crackable, taking a hacker less than a second to bypass, the report said.
Time for a cybersecurity audit
The full report can be broken down to individually view the top passwords in 44 countries. No country performed particularly well, meaning that cybersecurity hygiene is a global problem. Further, the list barely changes from year to year, signaling that companies neglect password audits—at least, until they suffer a data breach.
Compromised logins can lead to a massive data leak or ransomware attack. For example, the breach of Change Healthcare’s network occurred because phished credentials were used to login to a server that lacked multifactor authentication. That cyberattack impacted 100 million people.
Regardless of the industry, NordPass and NordStellar recommend organizations and individuals “regularly check the health” of passwords to ensure they’re using secure credentials.
“Your password should be at least 20 characters long and include a mix of uppercase and lowercase letters, numbers and special symbols. Steer clear of easily guessable information like birthdays, names or common words,” they noted.
The full analysis can be found here.