Update, Jan. 22, 2025: This story, originally published Jan. 20, now has a new analysis of passkey adoption as well as further detail on the hacked password list, including an analysis of the five passwords for which a successful compromise attack is considered most likely.
It’s hard to find anything good to say about passwords, truth be told. You either hate them or you hate them. While the push for a more secure alternative in passkeys is ongoing, most of us are stuck with password protection for most of our accounts right now. Which is a problem, given high-speed brute-force password attacks on Microsoft users, poor router password security issues, 2FA bypass attacks and sign-in-with-Google hacking tactics being exploited. All of this makes using a strong and secure password a must, something people on this recently published list are most certainly not doing. Here’s what you need to know and the passwords you need to change right now.
Change Your Password Now If It’s On This List
Security researchers from anyIP, a mobile proxy service, have analyzed the results of research undertaken by NordPass, which revealed the worst 200 passwords being used across 2024. Although I’m not keen on the old-chestnut of “this password can be cracked in less than a second” hacking speeds when it comes to password security or strength because those measurements are arbitrary at best and dangerously ingenuous at worst, there’s no denying that the resulting top ten of “most hackable passwords” is one any user who cares about their account security should be steering very clear of.
The anyIP researchers found that, sadly, all too believably, “password” was the most used of these intolerably weak and useless passwords. The rest of the list wasn’t any more comforting to a veteran cybersecurity professional who has been spreading the word about the importance of secure password usage for three decades. In the No. 2 spot was the keyboard-crawler of qwerty123 followed by qwerty1 and 123456. Being a U.K.-specific list, this included place names and sports teams specific to Britain, but any geographic region would see a similar weak password pattern emerge; just replace those cities and teams with your own.
“These findings highlight the alarming prevalence of predictable and easily hackable passwords,” Khaled Bentoumi, co-founder of anyIP, said. “Hackers are increasingly using sophisticated tools to breach accounts in seconds, and relying on weak passwords is akin to leaving your front door unlocked.” Bentoumi is not wrong; the idea that convenience still trumps security for many users reflects poorly upon the cybersecurity industry for not doing better and on commentators such as myself for not getting the poor security message across more successfully.
Analyzing The Password List—Most Likely To Be Hacked
The anyIP researcher’s analysis used a calculation based on data collected between 2019 and 2024 to determine how many times each password had been used in an attack. They also took an in-depth look at some of the most at risk passwords globally that this methodology uncovered.
- 123456 – This easy to remember, and easier to type, numeric sequence was used a staggering 112 million times. “This password is especially prevalent due to its ease of recall,” the researchers said, “but it can be breached instantly by automated hacking tools, posing a severe security threat.” To be honest, I think we should all have reached that conclusion a long time ago, but the numbers don’t lie. Literally. 123456789 was used more than 50 million times, and 12345 was found 36.5 million times. “Nearly 50% of the most frequently used passwords around the globe this year consist of simple keyboard patterns of letters and numbers,” the researchers warned.
- password – The analysis revealed that password is both common and persistent in usage. “ In the United States,” the researchers said, “it holds the position of the third most popular password, while for those in the UK and Australia, it takes the top spot.” Apparently, every year, it consistently appears at the top of the lists across various countries despite being so patently weak and easy to hack. Ditto when it comes to qwerty, which is the most common password in Canada, Lithuania, the Netherlands, Finland and Norway.
The Problem With Replacing Your Password With A Passkey
The U.K.’s National Cyber Security Centre has published a report that, while confirming that it sees passkeys as the “future of authentication” thanks to the enhanced security they bring to the convenient login party, concedes that there are challenges facing the widespread adoption of the technology. When it comes to security advice, there aren’t too many people that I’d place higher up my list of trusted sources than Ollie Whitehouse, the NCSC chief technology officer, who co-authored the new report alongside NCSC’s technical director for platforms research, David C, and senior security researcher James L.
Passkeys are, the NCSC said, generated securely and can’t be guessed or phished, and they are unique to each website or service you use, so the danger of cross-service compromise is negated. “Passkeys manage what was previously thought impossible,” Whitehouse said, “as well as being far more secure, they’re also quicker, easier and more convenient for users.” For this reason, Microsoft has said it sees an average passkey sign-in takes only eight seconds compared to 69 seconds for a password and 2FA combination. Google has put forward similar statistics and has also said that authentication success rates are way higher with passkeys (63.8%) as compared to passwords (13.8%)
But it’s not all plain sailing on the passkey seas. There are, the NCSC said, a number of challenges to passkey adoption that need to be contended with. These included inconsistent support and experience with multiple types of passkeys, from device-bound and physical token passkeys to ‘synced’ passkeys. This multitude of options makes it harder for users to get to grips with the technology. It also complicates things for the websites and services that want to offer passkey support but also need to know how the passkey is being handled by the user’s device so as to keep their own accounts safe. “This can also lead to confusing or frustrating experiences for passkey users who just want the authentication to work,” the NCSC said, “without having to worry about the nuances of underlying technology.”
The there’s the device loss anxiety issue. Average users are rightly concerned that if they lost the device that is used to authenticate then, understandably, they might lose the capability to authenticate successfully and so lose access to the accounts in questions. “To trust passkeys as a replacement for the password,” the NCSC report said, “users need to be prepared and know what to do in the event of losing one – or all – of their devices.” The truth of the matter is that most, if not all services, will have back up authentication measures that are accepted when configuring the passkey implementation. Things such as a fallback password and/or two-factor authentication codes, even codes that are securely stored off device, for example.
What Users Need To Do Now To Mitigate Password Hacking Risk
As already mentioned, moving to a passkey-based login process is recommended wherever it is available. You can try a simple passkey demo at Passkeys.io and see just how painless they are to use and create. The takeaway from the technology perspective is that passkeys are all but impossible, although nothing is 100% secure, for hackers to guess or intercept. They aren’t shared during the sign-in process, and the keys are randomly generated to begin with.
There’s a clue here to making your passwords more secure: randomly generate them using a password manager to ensure strength, complexity and uniqueness. Never reuse your passwords either, although if it’s something like password or qwerty123 that would be the least of your problems.
