In 2022, "guest" overtakes "123456” as the most used password in the U.S., according to NordPass. Last year’s winner, "123456," also seems to be retaining favor, finishing in second place.
Globally, the most common password this year is “password.”
NordPass has just revealed the results of its annual most common passwords research. This year's study looked into password creation trends worldwide and how password usage differs by gender across 30 researched countries. For the first time, NordPass also analyzed how pop culture trends influence password choices.
Below are the 20 most common passwords in the U.S. The full study is available here.
- 1. guest
- 2. 123456
- 3. password
- 4. 12345
- 5. a1b2c3
- 6. 123456789
- 7. Password1
- 8. 1234
- 9. abc123
- 10. 12345678
- 11. qwerty
- 12. baseball
- 13. football
- 14. unknown
- 15. soccer
- 16. jordan23
- 17. iloveyou
- 18. monkey
- 19. shadow
- 20. g_czechout
Despite cybersecurity experts continuously warning about the consequences of irresponsible password management, internet users were found guilty again. Compared to the data from 2021, 73% of the 200 most common passwords in 2022 remain the same. Furthermore, 83% of the passwords in this year’s list can be cracked in less than a second.
However, this year, NordPass presented both a global list as well as segregated data for 30 countries worldwide. Gender-specific information is also available on the website.
Common password creation trends
Overall, the password list of internet users in the U.S. shows trends that are similar global trends.
1. The No. 1 password in the U.S. — “guest” — is also trending worldwide, along with other preconfigured passwords such as “welcome.” For instance, “guest” is the third most common password in the U.K. and fifth in Canada.
2. While "password" is the most loved password globally (used over 4.9 million times), it ranks third in the U.S. Variations such as "Password1" and "password123" are also trending among Americans.
3. Having analyzed categories, such as sports, food, movies, or fashion brands, researchers concluded that culture, lifestyle trends, and recent events have a huge effect on people’s password choices. For example, American professional sports team names (i.e., Detroit Red Wings, Boston Red Sox,) or variations of them make extremely popular passwords.
4. Using your name to secure your accounts remains a common practice of internet users. In the U.S., Jordan, Michael, Hunter, Anthony, and Maggie are the top names used as passwords this year. Globally, this trend is also big: the world's most-used people names for password creation were Daniel, Thomas, Jordan, Michael, Marina, and Jessica.
5. People tend to go for convenience. Easy keyboard combinations of numbers, letters, and symbols make most lists worldwide. The U.S. is no exception here — easily-hackable “a1b2c3,” “abc123,” “qwerty,” and other similar passwords are highly popular in the country.
When it comes to other worldwide trends, researchers noticed that password irritation is also reflected in internet users' picks this year. In the U.S., "f*ckyou" is the 24th most common password, with "f*ckyou1,” and "f*ckyou2" also picked often (see note at the end of the article). On the other hand, loving words are extensively used as well — "iloveyou" and its translations into other languages are highly common passwords in most countries.
Pop culture influences our password habits
Differently from previous years, in 2022, NordPass, in collaboration with independent researchers, analyzed how current events and lifestyle trends inspire passwords. The company presents which of the world's beloved movies, sports, food, cars, video games, artists, fashion brands, and even swear words are most reflected in passwords.
As an example, "mini," "kia," and "ford" are the most common passwords in the "car" category, and "tiffany," "aldo," and "gap" top the list of fashion brands.
Less publicly available data from cybersecurity incidents
According to Ieva Soblickaite, the chief product officer (CPO) of NordPass, this year, the sample of passwords publicly available for analysis was much smaller compared to previous years.
This trend is not surprising, because passwords are indeed getting harder to breach due to rapidly evolving technologies, Soblickaite said. She explained that more websites are now using Open Authentication 2.0 (OAuth 2.0), the industry standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user, without ever sharing their passwords.
Soblickaite added that developers have increasingly better skills in password hashing, meaning that password characters are transformed in a way that it takes longer to crack them.
"Multifactor authentication (MFA) plays a role here too — with broader adoption of this technology, passwords are simply losing their value,” Soblickaite said. “Even if you hack a password, you cannot complete the identity authentication if the user has MFA enabled."
Tips to secure passwords
Even though companies implement security measures to protect accounts, every user still needs to be careful with their passwords. Below are a few essential tips to improve password hygiene.
1. Be aware of all accounts that are in your possession. Experts recommend deleting unused accounts and knowing the exact number of those that are active. This way, you can prevent gaps in your password management.
2. Make long, unique passwords, and never reuse them. Complicated combinations of numbers, uppercase, lowercase letters, and symbols make the most robust passwords. Reusing them is never an option — if one account gets hacked, other accounts are at risk.
3. Use a password manager. This technological solution fully encrypts the passwords stored in the vault and allows secure sharing. Many cybersecurity incidents happen because of simple human mistakes — people leave their passwords openly accessible for others and store them in Excel or other unencrypted applications.
Methodology: The list of passwords was compiled in partnership with independent researchers specializing in research of cybersecurity incidents. They evaluated a 3-TB-sized database.Researchers classified the data into various verticals, which allowed them to perform a statistical analysis based on countries and gender. With regard to the gender vertical, the researched data was classified by gender only if it included a gender key. If the breached data didn't contain the data key, it was classified as "unknown."
Note: The * was added in place of the letter "u" in these cases.