Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
RDM
Workspace
Launcher
Think about what you could do in less than a second. Blink. Cough. Turn the radio off because THAT especially annoying song comes on. Yeah, THAT one.
Well, if you were a hacker, you could add something else to your list of achievements in one second or less: you could crack any of the 10 worst passwords of 2023.
For the 5th consecutive year, password management software vendor NordPass teamed up with independent cybersecurity researchers to evaluate a 4.3TB database containing millions of passwords from individuals in 35 countries. The passwords were extracted from multiple publicly available sources, including the dark web.
What did they discover? Brace yourselves, folks. The most popular passwords of 2023 are not merely unsettling. They are so shockingly inept and awful, that they seem unreal.
Here is a snapshot of this year’s 10 most commonly-used passwords, along with the typical time it takes hackers to crack them:
| Rank | Password | Time to crack |
|---|---|---|
| 1 | 123456 | Less than 1 second |
| 2 | Admin (note: this is a common default password that many users don’t bother changing, much to the delight of hackers) | Less than 1 second |
| 3 | 12345678 | Less than 1 second |
| 4 | 123456789 | Less than 1 second |
| 5 | 1234 | Less than 1 second |
| 6 | 12345 | Less than 1 second |
| 7 | password | Less than 1 second |
| 8 | 123 | Less than 1 second |
| 9 | Aa123456 | Less than 1 second |
| 10 | 1234567890 | Less than 1 second |
The other 190 most popular passwords of 2023 continue this alarming trend. For example, “10203” slots in at #120, “password123” hits #142, and that traditional 8-character favorite “aaaaaaaa” appears at #196. All three of these credential abominations take less than a second to crack.
“But wait,” you might be thinking, “surely there must be at least a few passwords in the top 200 that take more than a second to crack, right?” You are indeed correct. Behold the 175th most popular password “Aa102030”, which takes a whopping 10 seconds to crack. And lest we neglect to mention the relatively more complex “user1234” (#188 on the list), which forces hackers to spend a whole 41 seconds to dismantle.
It’s Not ALL Bad (Just Mostly Bad)
If you’re an InfoSec professional furiously searching Google for another planet to live on — one that, at the very least, obliges hackers to spend more time drinking a cup of coffee than hacking most passwords — then don’t pack your bags just yet. There are a few entries in the top 200 that are worthy of the term password. For example:
- vodafone (list: #113; hack time: 3 hours)
- Kumar@123 (list: #127; hack time: 3 hours)
- theworldisinyourhand (list: #173; hack time: centuries)
(By the way, if you have a buddy named Kumar who isn’t very cybersecurity-savvy, now would be a good time to send him a note and let him know that if he’s part of the #127 club, then he’s potentially 3 hours away from a long, costly nightmare.)
Surely, Business Executives Aren’t Contributing to This… Right?
Wrong! A separate study found that high-ranking business executives and company owners tend to use weak and easy-to-crack passwords, which significantly increases the chances of a large-scale data breach. For example, among CEOs the 10 most common passwords were found to be:
- 123456
- Password
- 12345
- 123456789
- qwerty
- 1234
- qwerty123
- 1q2w3e
- 111111
- 12345678
Look familiar? Don’t just pin the blame on eager (and terrified) new interns. Many seasoned leaders are also getting passwords completely wrong.
What Can We Do?
Some problems in life are extremely tough. Disposing of an all-powerful ring in Mordor? Difficult. Blowing up a Death Star? Complicated. Keeping the Borg from assimilating you? 0/10 would not recommend.
However, some problems are easy — at least compared to taking on Sauron, the Dark Side, or the Borg. And turning passwords from a vulnerability into a strength is one of them. Fundamentally, here is what all businesses should be doing, including small and mid-sized businesses (SMBs) that are now under siege by hackers:
- Use 2FA/MFA
- Use passphrases instead of passwords, which are long and unique, yet easier for end users to remember.
- Use a good and reputable password manager. However, don’t assume that this is a full-fledged security solution (see next tip).
- Implement PAM and enforce just-in-time access for privileged accounts. Remember: standalone password managers are essentially business continuity tools — and NOT security solutions — because they lack functions such as: secure credential injection, account discovery, automated password rotation, alerts and notifications, and a checkout request approval process. Learn more about this here.
- Compare all potential passwords against a list of known weak and compromised passwords (per NIST; see SP-800-63B Section 5.1.1.2 paragraph 5).
- Immediately change passwords after evidence of a compromise (per NIST; see SP-800-63B Section 5.1.1.2 paragraph 9).
- Enforce a password history policy to prevent end users from re-using old passwords (the Center for Internet Security recommends setting this value to 24 or more; see section 1.1.1).
- Allow end users to copy/paste passwords — otherwise they are likely to use simple, short, easy-to-remember passwords (per NIST; see SP 800-63b paragraph section 5.1.1.2).
- Provide end users with cybersecurity training (see below).
The Value of Cybersecurity Training
To emphasize this last tip, we circle back to the attempted breach of Reddit earlier this year. Hackers sent out credible-looking prompts that directed employees to a website that cloned the behavior of the company’s intranet gateway. Unfortunately, one employee was caught by the trap. That’s the bad news.
The good news is that because that employee had received cybersecurity training, he immediately recognized the error and escalated it accordingly. His quick decision played a key role in containing the campaign and mitigating the damage. Without proper cybersecurity training, the situation would likely have become much worse.
The Final Word
Technically, there is no absolute, 100% guaranteed way to stop hackers from breaching passwords. However, there are practical and proven ways to make their job much, much harder. And the thing about hackers is that they are usually a pragmatic bunch. If a hack is going to take too long, require too much effort, or cost too much money, then they typically just move along to another target. They’re not after excitement. They’re interested in committing identity theft — and the faster and easier it is to do, the better.
Share Your Experiences & Advice
In your journey as an IT pro, when it comes to password management (or in some cases mismanagement), you have seen the good, the bad, and the ugly. Please share your experiences and advice with the community. What else should companies and end users do to reduce risks? And how have you seen things change — positively and negatively — over the years? Your opinion matters, and your wisdom and warnings could make an enormous difference.
And so, if you haven’t already done so in your company, put these password protection tips into practice ASAP. You want to ensure that everyone — including executives — permanently stop choosing staggeringly weak passwords (“12345” and “aaaaaaaa” people, we’re looking at you!).
