What is the most commonly used password in the world?

According to NordPass's annual survey, "123456" has held the top spot for over a decade. The main reasons are that number keys are arranged left to right on keyboards, and it is the shortest answer to many services' "minimum 6 characters" requirement.

Is character substitution like "P@ssw0rd" secure?

No, it is not secure. Leet speak substitutions like a to @ and o to 0 are built into standard attack tools. All variations of "password" are tested within minutes, so cracking time barely increases. Use random strings or passphrases instead.

What is a passphrase?

A passphrase is a password made by combining four or more random words, such as "correct horse battery staple." It is stronger than a random 8-character password and easier for humans to remember. It is ideal for password manager master passwords.

Worst Passwords Hall of Shame - Why "123456" Is Forever Number One

About 12 min read

Every year, security companies publish lists of the most commonly used passwords - and every year, "123456" sits comfortably at the top. This article dives into the hall of shame of the world's worst passwords, explores why humans keep making the same mistakes, reveals quirky country-specific password trends, and shows you how to build passwords that actually work.

If You Use "123456", Change It Right Now

The worst passwords all share three traits: short, predictable, and reused everywhere. "123456" is cracked in under a second, and "password" is the first entry in any dictionary attack. Meanwhile, a random 16+ character password would take hundreds of millions of years to crack with current computers. Simply using a password manager to set unique, long passwords for every account will dramatically improve your security.

Why "123456" Has Been Number One for Over a Decade

In NordPass's annual "most common passwords" ranking, "123456" has claimed the top spot nearly every year from 2013 to 2025. Why is it so persistent? Three reasons. First, the number keys on a keyboard are arranged left to right, making "123456" a natural finger movement. Second, many services require "at least 6 characters," and "123456" is the shortest possible answer. Third, people set it as a "temporary" password during quick signups - and never change it.

The runners-up are also nearly identical every year: "password," "123456789," "qwerty," "abc123" - all either keyboard patterns or plain English words. These passwords are prime targets for dictionary attacks.

Password Trends by Country - National Character on Display

NordPass data reveals fascinating country-specific trends. In Germany, "hallo" (hello) and "passwort" (password in German) rank high. In Italy, "juventus" (the football club) is a perennial favorite. Japan sees names like "sakura" and "takahiro," France defaults to "azerty" (the French keyboard layout), and America favors sports like "baseball" and "football."

What this means is that attackers maintain dictionaries tailored to each country and language. "Sakura" might feel personal to a Japanese user, but it is absolutely in every attacker's dictionary. Popular words in your country are the worst possible password choices.

Why "P@ssw0rd" Is Just as Useless

"If I change password to P@ssw0rd, it's secure, right?" Unfortunately, not at all. This type of character substitution is called "leet speak" - replacing a with @, o with 0, e with 3. The problem is that attackers know these patterns perfectly. Modern brute-force attack tools have leet speak transformation rules built in, and all variations of "password" are tested within seconds.

Security researchers have found that leet speak adds almost no cracking time. While "password" is cracked in under a second, "P@ssw0rd" takes only a few minutes - not a meaningful difference. Truly strong passwords require unpredictable randomness. For details, see password entropy.

Brute-Force Cracking Times - A Shocking Comparison

To grasp password strength, let us compare estimated brute-force cracking times. "123456" takes under 1 second. "password" also under 1 second. "P@ssw0rd" takes about 5 minutes. A personal-info-based password like "MyDog$Name2024" takes hours to days. Meanwhile, a randomly generated 16-character password (mixed upper/lowercase, numbers, symbols) would take hundreds of millions of years with today's fastest computers.

This difference comes from the number of possible combinations (entropy). Six digits offer only 1 million possibilities, but 16 characters of mixed alphanumeric and symbols offer roughly 10 to the 30th power combinations - a difference that exceeds the age of the universe.

Celebrity Password Fails

Password failures are not just a problem for ordinary people. In 2016, Facebook CEO Mark Zuckerberg's LinkedIn password was leaked and turned out to be "dadada." Worse, he reused the same password on Twitter and Pinterest, leading to both accounts being hijacked. The person running the world's largest social network fell victim to password reuse.

Another famous case involves former President Donald Trump in 2020. Dutch security researcher Victor Gevers claimed that Trump's Twitter password was "maga2020!" and that he successfully logged in on his fifth attempt. Two-factor authentication was reportedly not enabled. One of the most watched accounts in the world was protected by a guessable campaign slogan.

These stories prove that no one is immune to bad password habits. The solution is the same for everyone: use a password manager, generate random passwords, and enable two-factor authentication on every account.

The Fun Way to Create Good Passwords - Passphrase Method

Random character strings are strong but hard to remember. That is where passphrases come in - combining four or more random words into one password. For example, "correct horse battery staple" is far stronger than a random 8-character password, yet much easier to remember.

The key is that the words must be random. A meaningful sentence like "I love my dog" is vulnerable to dictionary attacks, but a nonsensical combination like "purple vacuum Jupiter natto" is extremely strong. For passwords you must memorize yourself, like your password manager's master password, the passphrase method is ideal. To understand password strength mathematically, see the secure password guide.

To learn more about security fundamentals, security books (Amazon)can be helpful.

Frequently Asked Questions

What is the most commonly used password in the world?: According to NordPass's annual survey, "123456" has held the top spot for over a decade. The main reasons are that number keys are arranged left to right on keyboards, and it is the shortest answer to many services' "minimum 6 characters" requirement.
Is character substitution like "P@ssw0rd" secure?: No, it is not secure. Leet speak substitutions like a to @ and o to 0 are built into standard attack tools. All variations of "password" are tested within minutes, so cracking time barely increases. Use random strings or passphrases instead.
What is a passphrase?: A passphrase is a password made by combining four or more random words, such as "correct horse battery staple." It is stronger than a random 8-character password and easier for humans to remember. It is ideal for password manager master passwords.

Generate passwords →