50 Most Common Passwords of 2024—Are Yours on the List?

Stop me if this sounds familiar: You’re setting up (yet another) online account when you’re prompted to enter a password. Sigh. It’s just easier to go with one of your most common passwords, am I right? Maybe you’ll include the word password in there—no chance of forgetting that!—and 123 if numbers are required. Or perhaps you go with your kid’s or pet’s name and an easy-to-remember date, like a birthday or anniversary. Done and done.

Not so fast! “If a password is frequently reused or easy to guess, bad actors can more easily gain access to email, banking and social media accounts, resulting in identity theft and financial loss,” says Gary Orenstein of Bitwarden, a popular password manager. “Recent examples, like the Microsoft and 23andMe breaches, illustrate the consequences of weak password use, with attackers employing password-spraying and credential-stuffing attacks using easily guessed or reused credentials respectively.”

We’ll come back to those scary-sounding attacks in a bit. For now, here’s the most important takeaway: Weak passwords will cost you, sometimes literally. That’s why I’m diving in to the data on the most common passwords. Ahead, three cybersecurity and data-privacy experts help me explain how hackers get your passwords and offer tech tips for keeping yours out of the hands of bad actors.

Get Reader’s Digest’s Read Up newsletter for more tech, travel, cleaning, humor and fun facts all week long.

Why do strong passwords matter?

Easy-to-remember passwords are convenient, but their potential downsides can be devastating. A weak and predictable password is easy to crack. Hackers may use software that guesses the most common passwords, and other freely available tools on the dark web (a hidden part of the internet notorious for criminal activity) may comb through your social media profiles to look for important names and dates that are likely to appear in your password.

Even if your password is long and strong, reusing the same one is a bad idea. If a company experiences a data breach—which happens more often than you may realize—cybercriminals won’t just have access to one of your accounts; they’ll be able to access many.

Makes sense, no? Unfortunately, the logic hasn’t convinced most of us to use unique, complex passwords.

A 2024 Bitwarden World Password Day survey revealed that 25% of respondents globally said they reuse passwords across as many as 20 accounts. And 36% said they use personal information in their passwords that can easily be found on social media. Oof.

Thankfully, it’s not too late to improve your online security. Keep reading to find out the most common passwords—prepare to cringe when you see yours in the list—and learn the best ways to manage your passwords going forward.

What is the No. 1 most common password?

The importance of selecting strong passwords is clear, right? It begs the question: What is the most common password in the world? After all, if you know hackers’ first guess, you can avoid it at all costs.

As a surprise to no one, perhaps, the most common password is 123456, according to Nord Security, a company that makes cybersecurity products, including NordVPN virtual private network software to browse the web anonymously and a password manager app called NordPass.

“Throughout the past five years, 123456 was ranked the world’s most common password four out of five times, and the past year was no exception,” says Gediminas Brencius, head of product at NordPass.

What are the 50 most common passwords?

Reader's Digest

In case you still need a little motivation to change your passwords, consider this scary tidbit: According to Brencius, 70% of the passwords on NordPass’s latest password list can be cracked in less than a second.

“To gain access to internet users’ accounts, hackers are often conducting brute-force attacks,” he explains. “It means that a hacker is submitting large batches of passwords or passphrases with an aim to eventually guess correctly.”

The most recent list of passwords from NordPass ranks these as the most common in the world:

1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890
11. 1234567
12. 123123
13. 111111
14. Password
15. 12345678910
16. 000000
17. admin123
18. 1111
19. P@ssw0rd
20. root
21. 654321
22. qwerty
23. Pass@123
24. 112233
25. 102030
26. ubnt
27. abc123
28. Aa@123456
29. abcd1234
30. 1q2w3e4r
31. 123321
32. qwertyuiop
33. 87654321
34. 987654321
35. Eliska81
36. 123123123
37. 11223344
38. 0987654321
39. demo
40. 12341234
41. qwerty123
42. Admin@123
43. 1q2w3e4r5t
44. 11111111
45. pass
46. Demo@123
47. azerty
48. admintelecom
49. Admin
50. 123meklozed

NordPass also looked at password use by location, determining that these are the most common passwords used in the United States:

1. 123456
2. password
3. admin
4. 1234
5. UNKNOWN
6. 12345678
7. 123456789
8. 12345
9. abc123
10. Password
11. Password1
12. password1
13. 12345678910
14. 1q2w3e4r
15. 1234567
16. shitbird
17. 1234567890
18. 123123
19. reset
20. qwerty

Are your passwords on these lists? It’s time to change them. Using one of the above is a massive password mistake, and hackers are just waiting for you to make it.

How hackers get your passwords

Igor Stevanovic/Getty Images

If yours are among the most common passwords, hackers are in luck. It’s easy for them to access password lists by searching databases of compromised accounts. It doesn’t take long for a password dump to end up on the dark web after a cyberattack. From there, stolen passwords are quickly circulated. (Thankfully, these password lists fall into the hands of savvy researchers too.)

Once they have this list of passwords, how do hackers know which, if any, will grant them access to your accounts? The most common methods for figuring out your password include “credential stuffing, password spraying, keylogging, phishing scams and dictionary attacks,” says Iskander Sanchez-Rola, director of privacy innovation at Gen, the cybersecurity network behind brands such as Norton and LifeLock.

Many of those tactics rely on lists of passwords, though hackers also employ other methods to steal your sensitive information. Let’s break that down.

• Credential stuffing: the automated injection of stolen username and password pairs (“credentials”) into website login forms to fraudulently gain access
• Password spraying: a type of the abovementioned “brute force” attack in which a hacker uses a single password to try and break into multiple target accounts
• Keylogging (or keystroke logging): the ability to track and record keystrokes made on a computer without the permission or knowledge of the user
• Phishing scam: a type of fraud that uses a seemingly legitimate email to trick victims into voluntarily giving personal details, including passwords, to a cybercriminal
• Dictionary attack: a type of cyberattack in which a hacker uses multiple commonly used passwords

“A robust and secure password, on the other hand, protects your computer from viruses, malware and ransomware attacks, in addition to helping you avoid identity theft and protecting against an account takeover,” says Sanchez-Rola.

Top password trends

Along with numerical sequences (like “123456”), the word password and simple keyboard combinations (such as “qwerty”), other password trends have emerged. Brencius says NordPass has noticed more internet users sticking to preconfigured passwords, like the word admin, which most likely is one of the passwords people don’t bother changing.

“However, we also see that people’s password habits are very much influenced by their cultural preferences and surrounding environment,” says Brencius. “In the U.K. and Italy, for example, people often draw inspiration from their favorite soccer teams’ names.”

That’s right: Hackers often go beyond password lists to access your accounts. Personal details that are widely available online—in social media posts, for instance—can give scammers plenty of ideas when guessing your passwords.

Sanchez-Rola reminds users not to use “personal information, such as names of family members or pets, or numbers that have significance to you, like an address, phone number, birthday or what have you, [as] these can be publicly available on forms you fill out or on social media profiles and are easily accessible to hackers.”

How to know if a hacker has your password

If hackers get your password, they won’t tell you about it. So how do you know if yours has been compromised? For starters, certain products you use may give you a heads-up.

If you use antimalware software (like Norton or McAfee) or a password manager—more on that below—it will alert you to any passwords it has cross-referenced with those leaked onto the dark web and will advise you to change them immediately. Your web browser or operating system (like iOS) may do the same. Heed that advice.

There are also trusted websites like HaveIBeenPwned.com, an online repository of email addresses and passwords that have been collected from publicly disclosed data breaches. If you enter your email address, the site will tell you if that email address has appeared in data breaches and, if so, from which sites.

But don’t ever share your password on any site that asks for it.

How to keep your passwords safe

I once heard a funny but clever method for thinking about passwords: Passwords are like underwear. Change them often, don’t show them to anyone and don’t leave them lying around.

Aside from following that bit of wisdom, there are a few actions you can take if you want to keep your password out of hackers’ hands:

Use unique, strong passwords

Bulletproof passwords consist of a random combination of uppercase and lowercase letters, numbers and symbols. “The longer the password is, the better,” says Brencius. “Experts at NordPass advise no fewer than 20 characters, plus people should also avoid dictionary words, popular slang or other words that could potentially be used by many.”

Use a password manager

The biggest objection to creating dozens of complex passwords is that it’s nearly impossible to remember them. Luckily, you don’t have to.

Reputable password managers not only hold your passwords and conveniently log you in to your online accounts—after you type in a single master password to access your digital vault, of course—but they can be leveraged to create complicated passwords for you too. Most password manager websites and apps also synchronize between devices for added convenience. Usually free for basic functionality, some password managers have a premium version with extra features.

Use multifactor authentication

Add a second layer of security to your accounts by enabling multifactor authentication. With it, you’ll be prompted to enter a one-time code that’s sent to your device (via an app, text message or email) to prove it’s you.

Even better, opt to use biometrics ID if prompted. This type of authentication uses part of your body, like a fingerprint or facial scan, to log you in to your accounts.

Give passkeys a try

An increasingly popular alternative to a password is a passkey. Major tech companies, including Microsoft, Amazon, Apple and Google, have already adopted the technology.

To access a website or app, a passkey relies on a string of encrypted data stored in your phone or laptop and verification from you via a face or fingerprint scan or a PIN code.

“Passkeys also ensure a user-friendly and secure alternative to traditional passwords,” explains Orenstein. “Passkeys are device-based authentication methods that do not require the user to remember any credentials, significantly reducing the risk of phishing and credential theft.”

Why trust us

Reader’s Digest has published hundreds of articles on personal technology, arming readers with the knowledge to protect themselves against cybersecurity threats and internet scams as well as revealing the best tips, tricks and shortcuts for computers, cellphones, apps, texting, social media and more. For this piece, Marc Saltzman tapped his 30-year experience as a technology journalist, author of several books (including Apple Vision Pro for Dummies) and host of the syndicated Tech It Out radio show and podcast. Then Chuck Brooks, the president of Brooks Consulting International and a consultant with more than 25 years of experience in cybersecurity, emerging technologies and other tech topics, gave it a rigorous review to ensure that all information is accurate and offers the best possible advice to readers. We rely on credentialed experts with personal experience and know-how as well as primary sources, including tech companies, professional organizations and academic institutions. We verify all facts and data and revisit them over time to ensure they remain accurate and up to date. Read more about our team, our contributors and our editorial policies.

Sources:

• Iskander Sanchez-Rola, director of privacy innovation at Gen
• Gary Orenstein, chief customer officer at Bitwarden
• Gediminas Brencius, head of product at NordPass
• Bitwarden: “World Password Day Survey 2024”
• NordPass: “Top 200 Most Common Passwords”

rd.com, via merchant (3)

The Best RFID-Blocking Wallets

Courtesy Maggie Kim, Getty Images

I Was Stalked with an Apple AirTag

Getty Images, rd.com

Red Flags of Cell Phone Tracking