The List of the worst passwords of 2022 has been published, pointing the spotlight on poor password practices. Despite the risks, these terrible passwords are still used by many people to “secure” their accounts. The worst passwords of 2022 do nothing of the sort. These passwords are top of the list in brute force attempts to access accounts and will provide almost instant access to any account that they have been used to secure.
The list of the worst passwords of 2022 includes 200 of the most commonly used passwords this year, and in each case, they allowed hackers to access accounts instantly or in just a few seconds. The study was conducted by security researchers using a 3TB password database, which included users from 30 countries.
The Worst Passwords of 2022
The table below shows the 25 worst passwords of 2022 based on the time it took to guess the passwords and the number of accounts they have been used to secure.
| Rank | password | Time to Crack | Count |
| 1 | password | < 1s | 4,929,113 |
| 2 | 1213456 | < 1s | 1,523,537 |
| 3 | 123456789 | < 1s | 413,056 |
| 4 | guest | 10s | 376,417 |
| 5 | qwerty | < 1s | 309,679 |
| 6 | 12345678 | < 1s | 284,946 |
| 7 | 111111 | < 1s | 229,047 |
| 8 | 12345 | < 1s | 188,062 |
| 9 | col123456 | 11s | 140,505 |
| 10 | 123123 | < 1s | 110,279 |
| 11 | 1234567 | < 1s | 106,929 |
| 12 | 1234 | < 1s | 105,189 |
| 13 | 1234567890 | < 1s | 102,636 |
| 14 | 000000 | < 1s | 102,636 |
| 15 | 555555 | < 1s | 98,353 |
| 16 | 666666 | < 1s | 91,274 |
| 17 | 123321 | < 1s | 83,241 |
| 18 | 654321 | < 1s | 81,231 |
| 19 | 7777777 | < 1s | 74,233 |
| 20 | 123 | < 1s | 60,795 |
| 21 | D1lakiss | 3hrs | 50,181 |
| 22 | 777777 | < 1s | 48,903 |
| 23 | 110110jp | 3s | 48,265 |
| 24 | 1111 | < 1s | 47,935 |
| 25 | 987654321 | < 1s | 46,891 |
Unsurprisingly, “password” is top of the list – a password so poor that it is not even worth setting it. NordPass detected 4,929,113 accounts that were secured with “password.” Sequential numbers were common, and alarmingly, people are still setting passwords of less than 8 characters. Even more alarming is the lack of restrictions on password length on many platforms.
There is a commonly held view that simply setting a password for an account is sufficient to prevent unauthorized access. While this may prevent your wife, husband, or child from being able to access your social media account, it will present no problem to a hacker. A study conducted by Hive Systems, using the latest GPUs, found that it was possible to crack any password of 6 characters or less instantly, regardless of the makeup of the password. A password of 8 characters that included numbers, upper- and lower-case letters, and symbols took just 31 seconds. Combine those characters in a ransom password of 12 characters and it would take 3,000 years to crack. NordPass recommends passwords of at least 12 characters.
It is important to adopt the mindset that an attempt will be made to gain access to your accounts, and never to think that you or your business is too small to be attacked. A study conducted by Bitwarden to coincide with World Password Day, found 31% of respondents in the United States had suffered a data breach in the past 18 months, and while the majority of people (90%) know about password best practices, they are not always applied. One-third of respondents reused passwords on 1-5 sites.
The easiest solution to the password problem is to use a password manager. These tools will suggest strong passwords and will autofill them so they never need to be remembered. For the majority of people, they will significantly improve password security, and further, these tools can be used for free. Bitwarden, for example, has a great free tier, and the paid version is just $10 per year.
