These passwords take 1 second to crack

Here’s a wild stat: 78% of the world’s most common passwords can be cracked in less than a second. The most-used password in the world, “123456,” has been leaked more than 3 million times. And get this: 1.2 million of those were corporate passwords.

This is based on fresh research from my password manager pick. For six years, NordPass has studied how we handle passwords. Let’s dive into the numbers. Spoiler: It’s not pretty.

The most common leaked passwords

NordPass analyzed more than 9 million stolen passwords. The most common:

  1. 123456 (found 3,018,050 times)
  2. 123456789 (found 1,625,135 times)
  3. 12345678 (found 884,740 times)
  4. password (found 692,151 times)
  5. qwerty123 (found 642,638 times)
  6. qwerty1 (found 583,630 times)
  7. 111111 (found 459,730 times)
  8. 12345 (found 395,573 times)
  9. secret (found 363,491 times)
  10. 123123 (found 351,576 times)

All of these take less than 1 second to crack. One trick is a brute-force attack, where hackers try every password combo until they hit the jackpot. 

They also use leaked password databases from previous breaches.

Because many people reuse their passwords, your leaked Netflix login could allow them to access your cable company account, too.

Making a big mistake worse

Of course, all these were stolen or hacked, so you’d expect them to be weak. But the list also includes some you might be using even if you’re more tech-savvy.

Think sequential numbers or letters on a keyboard (e.g., “567890” or “asdfgh”), repeated characters (e.g., “99999”), or easy-to-guess words like “princess” or “baseball.” You’re not the only one using pet names, hobbies or your favorite teams for inspiration.

Here’s the scariest part: 40% of the most common passwords in the personal and work lists are identical. That means if hackers get into one of your personal accounts, they can waltz right into your work systems, too.

Continue reading

My top password manager pick has an A+ security feature built in

But there’s a smarter way to protect your online accounts — using a trusted password manager like NordPass.

Remembering complex, unique passwords for every single account is practically impossible. If you’re like most people, you probably end up reusing passwords or writing them down somewhere, which isn’t your best bet if you value security. 

Continue reading

One sign your email was hacked? There are messages in your sent folder you definitely didn’t send. Now, check if an unknown device is logged into your account. In Gmail, for instance, click on your account picture, then go to Manage your Google Account > Security > Your Devices > Manage all devices. Look for any devices you don’t recognize and click on them. Sign out when you’re done, and remember to change your password to stay safe.

2024's worst passwords

Open/download audio

The world’s easiest-to-hack passwords are out — find out if yours made the list and how to protect your accounts in seconds.

An allowance for grown-ups: Social Security is upgrading its login system and ditching mySocialSecurity usernames and passwords. Using the mySocialSecurity site? You’ll need to create a new login ID for Login.gov. If you already have a Login.gov account or an ID.me login, you’re good to go. Yeah, it’s confusing, but what do you expect from the government?

600 million cyberattacks

Target Windows every single day. Microsoft’s latest report with all the gory details says more than 99% of attacks go after your passwords. Antivirus software is a must, folks.

So much data left exposed for anyone to see

Another day, another monumental data breach. Just because they’re getting more common doesn’t mean you can tune it out. In fact, it’s time to get even more serious about your private information and what’s posted online.

Continue reading

Netflix, just chill: When Netflix banned shared passwords about 18 months ago, they’d send occasional emails to request verification. Now, these emails are more frequent, and people are getting logged out. Duh, Netflix wants that $7.99 extra member fee. Netflix’s profits soared after the password-sharing crackdown, jumping to $2.3 billion in the first quarter of 2024; that’s up 79% from the same quarter in 2023.

🔒 Password-protect a document: In Microsoft Office or Google Docs, click the Help button in the menu bar. Click Help again, then type in Encrypt with password, and your program of choice will walk you through the steps. So easy.

WTH? The Colorado Department of State posted a spreadsheet with partial passwords to its voting machines on its website. No biggie, they say, since each machine has two unique passwords, needs physical access and is stored in an ID-only area. Someone needs to get fired — now.

🔐 Hackers now know the secret recipe: When an Apple device generates a strong password for you, it’s not entirely random. They’re specifically designed to be easier to type and briefly memorable. Take “hupvEw-fodne1-qabjyg.” It’s mostly lowercase characters and follows the pattern of consonant, vowel, consonant. Throw in hyphens, a single digit and voila.

No more passwords, please: Passkeys are becoming the new standard for Windows 11 security. Instead of typing in a password, you’ll confirm it’s you using another trusted device, like your phone, that has access to your biometric data. Fast, easy and less hackable. I’m in.

Enter your “Pa$$word!”: I’ve done this for years — abbreviate a sentence into a password. So, “I ate three peanut butter sandwiches today!” could become “I83pbsammies2day!” Whatever you do, just promise me you won’t use “123456” or “password1.”

Poor Swiftie: A Taylor Swift fan had her $3,500 concert tickets swiped right from her Ticketmaster account. Someone hacked in and transferred them out. It’s happening more often, and support says it could take days to resolve — with no guarantees. Ticketmaster’s brilliant advice? Create stronger passwords.

Disney+ tries the Netflix stunt

Open/download audio

Just months after Netflix cracked down on passwords, Disney is hoping to rake in the cash with the same tactic.

🚨 Seven years of slacking: Meta’s been slapped with a $101 million fine for storing up to 600 million Facebook and Instagram passwords in plain-text format. That’s a major security no-no. Even worse? The breach was discovered in 2019, but some passwords had been unprotected since 2012 and were searchable by over 20,000 Meta employees. The fine isn’t big enough.

Best password length: A minimum of 16 characters. The longer your password, the harder it is to crack. Use a mix of uppercase and lowercase letters, numbers and symbols for added security. I like passphrases, where you squish a few random words together, like iL0veKimKom@ndo. 🥰

🚨 “Hello pervert”: Scammers are sending emails claiming they’ve recorded you through your webcam and will release the footage unless you pay up. They’re using details like your home address or an old password to make it more believable. Don’t reply, and if any accounts still use that old password, change it immediately.

🔐 Change your password: Over 2 million VPN passwords were stolen using malware last year. ExpressVPN, Proton VPN and NordVPN were the biggest targets. The companies weren’t breached; hackers went after users through phishing attacks, keyloggers and credential stuffing. Change your password ASAP if you have a VPN. And remember, “beefstew” as a password isn’t stroganoff.

Redacted: If you ever send a password to a colleague, family member or friend in a chat or text, delete the message after they’ve copied it. There are more secure ways to share a password, but let’s be honest: Everyone shares them this way (even me!).