The Evolution of the Worst Passwords Over the Last 10 Years by Shipra Sanganeria

Shipra Sanganeria

Published on: March 13, 2025

Key Takeaways

• “123456” was the most frequently used password worldwide in 2024.
• The most common password in the United States in 2024 was “secret.”
• Approximately 40% of the most common corporate passwords mirrored those used by individuals, with “123456” again topping the list.
• Gen Z is the generation most prone to password mishaps, with 51% using memorization to keep track of their passwords.
• The average number of characters in a password ranges from 9 to 11
• Hackers can crack an average 8-character password composed only of numbers in less than 37 seconds.
• In 2024, the majority of people used a password combination of lowercase letters and numbers.
• Up to 81% of hacking-related breaches are due to stolen and/or weak passwords.
• After increasing password restrictions, 75% of participants in a study started using risky memorization strategies, like reusing passwords for multiple sites.

Introduction

Despite passwords being an essential part of our digital lives, many people still use weak or simple combinations of letters and numbers that can be cracked in just a few seconds.

We at Safety Detectives understand that passwords are a fundamental part of our digital lives, so we conducted research on the most commonly used passwords, their typical length and complexity, and the behaviors that influence how people create them.

Our goal is to shed light on the current state of password habits, to highlight how these practices have evolved over time, and to discuss the implications of low-quality passwords and best practices for creating good passwords.

Historical Overview of Password Trends

The world’s first digital password was created in the 1960s when Fernando Corbató at MIT developed the Compatible Time-Sharing System, which allowed multiple users secure access to a shared mainframe. Not long after, in 1962, the first password hack happened when Allan Scherr, a graduate student, printed all the passwords stored on the system.

Initially, passwords were stored in plain text but, as technology advanced, the need for stronger security measures grew. In 1974, the introduction of one-way encryption (hashing) marked the first encryption of passwords. During this time password salting – adding a unique string of characters to each password before it is hashed – also emerged.

Despite these developments, during the 1980s, many users still relied on simple, easy-to-remember passwords, with common examples including “password1234,” “password,” and “abc123.” In 1985, the Department of Defense Password Management Guideline was published. Among other things, it recommended that passwords should be at least 7 characters long.

In 1995, AT&T developed and patented two-factor authentication, allowing users to authenticate their identity from an additional system, a practice that remains widespread to this day.

As cyber threats increased, the 2010s saw a shift toward more complex password requirements and an increasing popularity of multi-factor authentication (MFA). Users were encouraged to create longer passwords, typically ranging from 12 to 18 characters.

In recent years, passwordless authentication methods have grown in use. Technologies such as biometrics (fingerprint and facial recognition) and passkeys are often used as alternatives to traditional passwords.

Nevertheless, we expect the number of passwords to continue to increase. In its Cybersecurity Trends report, NordPass projected that there will be an average of 190 passwords per user by 2025, which NordPass attributed to the rise in AI-driven tools requiring authentication.

Common Password Structures and Behaviors

NordPass’ sixth annual report on the most common passwords for 2024 reveals a concerning lack of improvement in password security habits among users globally.

The research, conducted in collaboration with NordStellar, analyzed a 2.5TB database containing passwords compromised through data breaches and malware attacks across 44 countries.

According to the report, “123456” was the most frequently used password worldwide in 2024, used 3,018,050 times in the dataset. Of the 200 most common passwords identified, an astonishing 161, or 80.5%, can be cracked in just 1 second. The most “difficult” password to crack from the list is g_czechout, taking approximately 12 days.

Below, you can see the top 20 most common passwords worldwide, including the number of times each password was used.

NordPass also found that the most common password in the United States in 2024 was “secret,” used a total of 328,831 times. Interestingly, the US is the only country where “secret” ranks as the top pick.

As for the other countries, “123456’ dominates in the vast majority, only topped by “qwerty123” in Canada, Finland, Lithuania, the Netherlands, and Norway. Still, as far as insecure passwords go, nothing beats Australia’s and the UK’s most common one – “password.”

However, taking a closer look at the top lists reveals some interesting findings. Once you get past all the “qwertys” and obvious alphabetic and numeric sequences, many countries have unique common passwords not found elsewhere.

For instance, “lizottes” in Australia, possibly named for a popular restaurant that was rebranded in 2023 as Flamingos Live. Or “salasana” in Sweden and “jelszo” in Hungary, which both translate to “password.”

In the map below, you can see some of the most common passwords in different countries around the world.

For the first time, NordPass also analyzed corporate passwords and found that many employees use the same weak passwords for work accounts as they do for personal accounts. Approximately 40% of the most common corporate passwords mirrored those used by individuals, with “123456” again topping the list.

These statistics beg the question, “Why do so many people persistently use weak, easy-to-guess passwords, even as cybersecurity becomes increasingly important?”

LastPass’ 2022 Psychology of Passwords report, conducted by Lab42, surveyed 3,750 professionals across seven countries to analyze password behaviors and attitudes, shedding some light on the issue.

According to the report, Gen Z is the most prone to password mishaps. They exhibit high confidence in their password management and are more likely to recognize that reusing the same password on different accounts is risky. Despite this, 51% of Gen Z use memorization to keep track of their passwords.

In contrast, Baby Boomers are the least confident in their password management, yet are the most likely to create unique passwords and the least likely to use the same password or a variation.

Respondents also reported using more complex passwords for certain types of accounts. Specifically, 68% indicated they create stronger passwords for financial accounts, while 49% do so for email accounts and 32% for work-related accounts. This demonstrates a tendency to prioritize security for accounts perceived as more sensitive.

The report also reveals a prevalent false sense of security among users. Despite nearly 65% of respondents having some form of cybersecurity education, only 31% stopped reusing passwords after the education, and just 25% began using a password manager. This indicates that high confidence does not translate into safer online behavior, as many individuals continue to engage in risky practices despite being aware of the threats.

Research on the Length and Complexity of Passwords Over Time

In the context of this history and third-party research, Safety Detectives has also compiled its own data and done its own research. We discuss our methodology and findings below.

Methodology

To analyze the evolution of password length and complexity over the last few years, we gathered data from the “Compilation of Many Breaches” (COMB), a massive collection of stolen and leaked credentials containing over 3.2 billion combinations of user logins and passwords.

We combined this data with our own previous research, initially conducted in 2016, containing data from 1 billion leaked credentials from the internet.

Finally, we used automated Google searches to locate publicly available paste files on websites indexed by Google and categorized files containing credentials by year.

For privacy protection and confidentiality, we destroyed all identifiable information, like usernames and emails. We also performed aggregation on the password data to derive patterns or insights, ensuring no sensitive or identifiable data remained in the dataset.

Due to the large amount of information in the CSV files, handling them in Excel proved impossible, so we used Python and Pandas. This required coding programs to access and analyze the information.

The first program we wrote allowed us to get the header for each file, while the second program allowed us to count the number of rows in each file, so we knew how many credentials we were working with. We came up with the following results:

With the third program we developed, we were able to check the length of each password. The program works by taking the input from the second column, counting the number of characters in each password, and adding this information to a new column.

Next, we used different Python scripts to check the possible combinations of numbers and letters for each password. More specifically, we calculated the number of passwords that contain:

• Numbers only
• Lowercase letters only
• Uppercase letters only
• Lowercase and uppercase letters
• Numbers and lowercase letters
• Numbers and uppercase letters
• Symbols only
• Symbols and numbers
• Symbols and lowercase letters
• Symbols and uppercase letters
• Numbers, lowercase letters, and uppercase letters
• Numbers, symbols, and lowercase letters
• Numbers, symbols, and uppercase letters
• Lowercase letters, uppercase letters, and symbols

Results

Looking at the length of the passwords included in our study, we found that the average number of characters in a password ranges from 9 to 11.

Notably, we also learned that the minimum number of characters a password had was 1, indicating that some individuals use a password with just one character. What makes this even more concerning is that there are some services or apps that don’t have a predefined minimum character requirement for their users.

Hive Systems’ latest research on password security found that an average eight-character password composed only of numbers can be cracked in under 37 seconds using the trial and error method, or trying as many combinations as possible. By comparison, if the number of characters in a password is doubled, it would take a hacker over a century to crack it.

Hive Systems suggests using passwords of at least 13 characters that incorporate a mix of numbers, uppercase and lowercase letters, and symbols. Such complex passwords significantly extend the cracking time, potentially reaching decades or even centuries for very strong passwords.

Our research on possible character combinations revealed that, in 2024, the most common password combination was lowercase letters and numbers, with 254,684 out of 780,794 passwords belonging to this category.

The analysis of our 2021 data, our most comprehensive dataset containing 719,045,627 passwords, showed similar results to our 2024 dataset. In 2021, an astonishing 334,342,397 users had a password combination of only numbers and lowercase letters.

This combination also proved the most popular in 2016 and 2023, while in 2022, the majority of users opted for a combination of numbers, lowercase letters, and uppercase letters.

On the other hand, passwords composed exclusively of symbols have the lowest prevalence out of all combinations. For instance, in 2024, only 20 out of 780,794 users opted to use only symbols.

Potential Consequences of Using Weak Passwords: Case Studies

Poor password management is the leading cause of security breaches. According to the Verizon Data Breach Investigations report, up to 81% of hacking-related breaches are due to stolen and/or weak passwords. Here are some examples of massive data breaches that happened due to weak passwords or reusing the same password on different accounts.

Dropbox (2012)

In 2012, Dropbox experienced a security breach that resulted in the theft of over 60 million user credentials. The breach was caused by an employee reusing a password that had been stolen during the 2012 LinkedIn breach. Email addresses and salted hashes of passwords for approximately 68 million users were leaked.

After the incident, Dropbox took measures to ensure that its employees don’t reuse passwords on their corporate accounts, licensing the password management service 1Password for all employees and requiring two-factor authentication for all internal systems.

GitHub (2013)

In 2013, some GitHub user accounts were compromised in a brute-force password-guessing attack that involved nearly 40,000 IP addresses. GitHub responded by resetting passwords for the compromised accounts. They also revoked personal access tokens, OAuth authorizations, and SSH keys for those accounts. Users were urged to enable two-factor authentication and be more responsible with their password choices.

Dunkin’ Donuts (2015)

In early 2015, Dunkin’ Donuts customer accounts were targeted in a brute-force attack. Hackers tried an array of password combinations and were able to access about 19,715 user accounts over a five-day period, resulting in tens of thousands of dollars stolen from customers’ stored value cards.

Moreover, the failure of Dunkin’ Donuts to promptly inform its customers about the attack resulted in a lawsuit that cost the company $650,000 in fines and damages.

Taobao (2016)

The massive brute-force attack that targeted Taobao, an Alibaba-owned e-commerce platform, led to the compromise of 21 million user accounts, a fifth of all Taobao accounts. The attack happened as a result of reused passwords on breached third-party sites. Following the incident, Alibaba reassured users that its system remained uncompromised and reminded users to stop reusing passwords.

Northern Irish Parliament (2018)

In 2018, the Northern Irish Parliament was targeted by a brute force attack. The attack involved hackers attempting numerous password combinations to gain access to members’ email accounts, compromising the mailboxes of several members. Following the attack, the IT department disabled the compromised accounts, and staff were told to change their passwords and remain vigilant.

Implications for Cybersecurity: Weaknesses and Risks

Using weak passwords can have serious implications for cybersecurity, including:

• Unauthorized Access: Weak passwords can be easily cracked, giving attackers access to accounts, sensitive information, and the ability to impersonate users or disrupt operations.
• Data Breaches: A single weak password can give attackers access to an entire network, including confidential data, leading to reputational damage, financial loss, and legal consequences.
• Account Takeover: Cybercriminals can use information from one compromised account to access other accounts, especially if the same password is reused. This can lead to widespread compromise of personal and professional data.
• Identity Theft: Stolen credentials from weak passwords can be used to impersonate individuals, apply for credit, or engage in fraudulent activities.
• Financial Losses: Weak passwords can result in stolen funds or intellectual property, costing companies millions. Individuals may suffer theft of banking or credit card information.
• Website Takeover: Attackers can deface a website, steal customer data, or redirect traffic to malicious sites.
• Reputation Damage: A security breach can tarnish a business’s reputation, leading to lost customer trust and potentially irreparable brand damage.
• Legal Consequences: Data breaches often result in legal action from affected parties, and companies might face fines for failing to adequately protect user data.

Policy and Automation Influences on Behavior

Many organizations implement strict password policies that require users to create complex passwords that contain a combination of uppercase letters, lowercase letters, numbers, and special characters. While these policies aim to enhance security, research indicates that they can frustrate users and be counterproductive.

For example, a 2020 James Cook University study revealed that increasing password restrictions frustrates users. Adding a fourth restriction (requiring at least one special character) significantly increased the perception of difficulty, despite increasing password security.

This frustration led to 75% of participants using different strategies to remember their passwords. Some of these strategies, like using the same password for multiple sites, significantly compromised their security.

Similarly, the use of password management tools can significantly influence user behavior related to password security and management.

A 2024 CISPA Researcher Sabrina Amft’s Qualitative Study found that, for most password manager users, convenience takes precedence over security. For example, many users use password managers to save themselves the trouble of entering and managing passwords, with security being a secondary factor.

The study also found a difference in usage behavior between password managers that were purchased separately and those integrated into browsers. People are often not even aware they are using a password manager when they store their passwords in Google Chrome or Mozilla Firefox.

Conclusion

While password habits have evolved over time, many people still rely on simple and predictable choices that leave them vulnerable to cyber threats. Although we’ve seen some increased awareness around password complexity, the most common passwords continue to be easy to guess.

As we move forward, stronger, longer, and more unique passwords will be necessary to protect our digital lives. By learning from past trends and adopting better security practices, we can create a safer online environment for ourselves and those around us.