Avoid the Most Common Passwords With These Security Tips

Cybersecurity company NordPass publishes annual statistics on the most common passwords by analyzing data breaches across 44 countries, with the most recent study being published in 2024. They've also included the number of times they found the common words to be used. The top 25 results in the study are as follows:

Browsing through the list of most common passwords, the thing that immediately jumps out is that the majority of them are using strings of characters in the order they appear across the keyboard. This is a horrible security practice — and an almost surefire way to get your online information stolen.

Passwords that use common nouns and phrases are stronger than these, but not by much. These are the first things that hackers will try when attempting to access an account. In fact, hackers often possess automated scripts which they can use as a brute-force attack with all the most common passwords in a matter of seconds.

Other examples that appear further down the list of most common passwords include simple animal or fantasy creature names like monkey, dragon and unicorn. Popular sports like baseball, football and soccer are also frequently used. Proper names "ashley" and "michael" (without caps) also make it into the top 100.

Apart from common words and numbers, people tend to use identifying information in their passwords. This can include parts of their name, their current or birth city, as well as their birthday or birth year.

You should avoid using any of these in a password, as they can easily be phished by scammers, or potentially even someone you know.

The most common passwords tend to use strings of characters in keyboard, numerical or alphabetical order and only use lowercase letters.

So ,when it comes to creating a strong password, it's safe to say that we should avoid any and all of these practices. You should also avoid common words and phrasing that could potentially be guessed, as well as any personal information.

1. Use Complex Passwords

The No. 1 way to increase password security is to use more complex passwords. This means making them longer, omitting common phrases and using more types of characters, including lowercase letters, capital letters, numerical digits and punctuation marks.

If we take this logic to its extreme conclusion, then we'll realize that the most secure password is not one that's thought up by a human at all, but one that's been randomly generated. Web browsers like Chrome are able to randomly generate passwords for the user, and there are plenty of other applications for this purpose as well.

Using a randomly generated string of characters makes it effectively impossible for a hacker to guess the password or to obtain it through a brute force attack. The only downside is that it makes the password much harder to remember, so it will need to be written down or otherwise stored somewhere.

2. Two-factor Authentication

For sensitive data like banking accounts, you should always use a method of two-factor authentication. 2FA bars anyone from accessing the account until they can verify their identity as the rightful owner by responding to a text on their phone, an e-mail to your address, or by punching in a code on a dedicated 2FA app.

Two-factor authentication ups the security factor exponentially because even if a hacker had stolen that password, they would not be able to log in unless they had also compromised that second e-mail account or gained physical access to your smartphone.

It will naturally take more time for you to log in using 2FA, but the added security should be more than worth it to protect sensitive data.

3. Never Use the Same Password on Multiple Accounts

Apart from using common passwords, the worst possible security practice is to use the same password multiple times. The reasoning is simple: If a hacker obtains one of your passwords by purchasing it on a dark web market or another method, they can easily find and access other accounts that use that password through a method called credential stuffing.

In a credential stuffing attack, the hacker runs a script which takes the password and automatically copies it to hundreds of other web sites to try and gain access. These attacks have a very low rate of success but remain common because they are so easy to do.

If you use exactly one password for only one account online, then the odds of falling victim to one of these specific attacks are absolute zero.

4. Stay Organized With a Password Manager

If the most secure passwords are randomly generated, and we can't use the same password across multiple accounts, then how are we supposed to actually remember all these passwords?

That's where a password manager program comes in. It effectively takes memory out of the equation by locking all your complex passwords behind one master password.

Most popular web browsers today include built-in password managers which are very convenient because they tie every password to one account and can autofill your passwords on the fly. They can also migrate all your saved passwords to a new machine when you log onto the same browser account.

However, if online security is of the utmost importance to you, then you should shy away from using a password manager that has any online access. The most secure managers only save the passwords onto your local machine and not to any server. Dedicated password manager devices also exist which function a bit like calculators and have zero internet connection.

When using an encrypted password manager, it's crucial to remember the master log in credentials, otherwise you could lose access to all the other passwords. It may be useful to write the main password down onto a piece of paper as a fallback. However, this paper should be stored somewhere away from the computer not easily discovered, and preferably accessed using a physical lock and key.