A report that includes an analysis of more than 100 million passwords leaked over four years via data breaches has revealed the weakest passwords currently in use – and almost all of them are really easy to guess. In fact, it would take a hacker with the right technology and information just seconds.
A separate NordVPN study carried out before this report was published revealed that the average person has over 100 passwords, and if you’re re-using your own name, favorite sports team, or a simple sequence of numbers, newly published data suggests your account credentials could be easily compromised by cybercriminals.
In this article, we’ll be covering the most-used passwords revealed in the report, as well as some password ideas you can use as inspiration for the passwords you make in 2024. We’ll also run through exactly how long and complex secure passwords should be – and why passkeys might just be around the corner.
The Most-Used Passwords: Study Results
Data released by online security platform mymxdata.com — which has scraped over 100 million different passwords leaked in data breaches since 2019 — shows exactly what names, phrases, and numbers you should avoid when making a password.
It goes (almost) without saying that you should avoid all of these passwords at all costs, even if they’re extremely convenient to use and very easy to remember.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
Passwords as simple as these should be nowhere near accounts that hold valuable personal and confidential information, such as your online banking or social media accounts.
The most-used names in passwords
According to mymxdata.com’s report, the most frequently used name in passwords is “Michael,” which was used 107,678 times as a password. Daniel came a distant second after being used 99,399 times.
Other names that appear most regularly in passwords include Ashley (91,977), Jessica (86,410), Charlie (82,348), and Jordan (74,310).
Michelle appeared in 71,816 passwords and Thomas was used in 70,024. Nicole was the ninth most-used name after appearing 69,223 times, and rounding off the top 10 is Andrew, which was included in 65,509 passwords.
The most-used sports and soccer teams in passwords
It’s tempting to use your favorite sport in your passwords, as it’s going to be super easy to remember – but unfortunately, popular sports are among the most widely-used words in passwords, and should therefore be avoided at all costs when you’re making an account.
- Football: 107,169
- Baseball: 82,574
- Soccer: 79,735
- Basketball: 62,667
- Hockey: 41,220
- Tennis: 24,189
Mymxdata.com also looked at the most-used soccer team names in passwords. The top five most-used clubs in its 100 million-strong password dataset were:
- Liverpool: 70,317
- Chelsea: 55,834
- Barcelona: 46,273
- Arsenal: 45,321
- Juventus: 38,169
The most-used numbers and phrases in passwords
Unsurprisingly, the most-used number sequence is “123456”, which was used by password creators 6,621,933 times. “111111” (six consecutive 1s) was used 968,155 times, while “12345678” and “abc123” were both used more than eight hundred thousand times each.
“Qwerty” – the first five letters to appear on the keyboard – was used as a standalone password 878,496 times, despite its obvious weaknesses. “Password” (946,935) and “Password1” (740,680), on the other hand, were among the most widely-used phrases in passwords.
The most-used years in passwords
Strangely, the most-used year in passwords compiled by mymxdata.com was “2013,” which was chosen 129,745 times. “2010” was the second most popular year to use as a password and was utilized 79,274 times. The other most widely used years were:
- 1986: 78,709 uses
- 1987: 73,067 uses
- 1989: 61,405 uses
- 1985: 58,627 uses
- 1988: 57,945 uses
- 1990: 56,947 uses
- 1984: 54,333 uses
- 2020: 51,269 uses
- 1982: 50,833 uses
- 2012: 47,283 uses
- 1983: 45,789 uses
- 1992: 44,952 uses
- 1995: 43,558 uses
- 1980: 43,255 uses
Remember that dates of birth are regularly used in passwords, and threat actors know this is the case. What’s more, this sort of information is often available online too, if someone is looking hard enough.
The most-used fictional characters in passwords
Leaving Marvel in its dust, DC comics dominate the fictional characters category. The most regularly featured fictional character in the passwords mymxdata.com scraped was Superman, which was used 86,937 times, while fellow DC hero Batman came second with 52,388.
Wall-E makes a surprise entry in third with 48,288 uses, while Hello Kitty (35,381) SpongeBob (35,349), and Marvel’s Spider-Man (35,078) make up a somewhat surprising top five, which includes no Lord of the Rings, Game of Thrones, or Star Wars characters.
The most-used famous figures in passwords
Just like your favorite sport, you might think the name of your favorite famous person is worth sneaking into a password. However, for the most part, that’s a bad idea – the likelihood is that your favorite famous person is going to be the same as loads of other people’s favorite famous person. Here’s the top nine:
- Blink-182: 84,545
- 50 Cent: 55,897
- Eminem: 43,344
- Slipknot: 39,630
- Metallica: 38,608
- Nirvana: 35,436
- Justin Bieber: 34,296
- Ronaldo: 34,137
- Messi: 495
Surprisingly, this list is exclusively dominated by musical artists who made their names during the 1990s and early 2000s – precisely the time when internet usage went mainstream. However, world-renowned footballers Lionel Messi and Cristiano Ronaldo unsurprisingly round off the list.
Strong Password Examples: A List for 2024
Warning: These passwords listed in this article have been created as examples to showcase what a secure password may look like. Please do not use these passwords for your own accounts.
Now you know what the most commonly-used, regularly-cracked passwords are, it’s time to look at some examples of good passwords and passphrases that you can use as inspiration.
- bur3=iMePHI549ZiClBr – This password uses a wide variety of characters, letters, and symbols – but might be a little difficult to remember
- 3ButterFlies:)+4Sharks:(=7Animals – This passphrase utilizes numbers and mathematical symbols to ensure it is sufficiently varied and complex without being overly complicated to remember.
- (NEWSFLASH…TayloRSwifTReallYSuckS!!!) – This password uses a memorable phrase and a code for capitalization (first and last letter of every word) to make it easy to remember. It’s also very, very long.
- September:The10thAnnualBoatingTr1pPrankonDarryl’sWife – This password references a private in-joke from a specific life event, and although there are not many letters and numbers, it’s 53 characters long.
- WaTcmFAwKoFtTe! 1. Elegant 2. Hedgehog $4510 – This password is an acronym for the first lines of the chorus in Queen’s “We are the Champions,” plus two words suggested by a random word generator and a meaningless price. It also has spaces and different special characters.
We can also see how a password can be turned from a weak one into a strong one with just a few simple modifications:
- Extremely weak password: Crocodile
- Weak Password: Crocodile111
- Moderate password: Cr0c0D1le135
- Strong password: Cr0c0d1l3-1358007!
- Really strong password: ?!Cr0c0D1l3-$1358007!?
There are now loads of safe, secure ways to test the strength of your passwords – so make sure you try them before you use them to secure your email or social media accounts.
Examples of Bad Passwords
There are some really clear and simple rules to follow when it comes to avoiding bad passwords. For example, avoid genericism and lean into uniqueness, such as private jokes or niche references (more on this in the next section).
Sometimes, the quickest way to learn is to just look at some bad password examples. So, we’ve put together a short list of weak passwords. We’ve bolded the password each time, and included an explanation of precisely what makes it unsafe in parentheses:
- WestVirginia (No numbers or special characters, simple phrase)
- bacon454 (less than 12 characters, no upper case letters)
- Johnbonjovi (less than 12 characters, no symbols or characters)
- Password2024 (less than 12 characters, references current year)
- Pa$$w0rd (a variation on a common word used in weak passwords)
- BigHockeyFan (no symbols, unoriginal, reference to popular sport)
- USA07/04/1776 (well-known date, no special characters)
- SantiagoBrooklyn99 (full name of TV show + character with little deviation)
- B3nn£y (way less than 12 characters long, dangerously short)
- Arnold1976 (Simple name and date, not complex enough)
- BloombergSubcriptionPassword (too descriptive of password purpose)
- 123456789 (no letters or characters, sequential numbers)
Firstly, under no circumstances should any of your passwords incorporate personal information — including your name, house address, date of birth, the city you live in, or pet names. If you’re being specifically targeted by someone and any of this data is publicly available, it’ll be among the first things that they try.
Password Ideas You Can Try Yourself
There are good password ideas and bad password ideas — and it’s always advised to consider best practices when you’re creating passwords for your most treasured accounts.
If you’d like an in-depth look into password best practices and the factors that impact how strong your account credentials are, have a look at our password security guide – but if you don’t have time, here are some password ideas you can use for inspiration.
Use a multi-character passphrase
It’s quite common to hear the phrase “passphrase” instead of “passcode” or “password” in 2024, and many people believe passphrases are now more secure than passwords.
The advantage of a passphrase is that they’re longer than passwords but easier to remember. It can be an easy first step to a more secure online existence for people with poor password hygiene re-using the same password over and over again.
However, remember that using a passphrase is not a silver bullet, nor is it foolproof. It certainly should not be used instead of special characters and numbers. You can incorporate numbers into a passphrase by simply swapping out words for the numbers themselves.
Whip out the private jokes
Languages are vast – there are approximately 170,000 English words in use. This means there is an almost unthinkable amount of different combinations of words and phrases. For instance, there are 50 billion websites indexed by Google – and not a single one contains the meaningless two-word phrase “Hedgehog Asinine” we created to provide this point.
The chances are, you probably have at least one in-joke with your family, friends, or colleagues that includes two or more words that just don’t ever appear alongside each other in your language. Using one of these unique in-jokes as a basis for your password or phrase will be a lot safer — and much harder to crack — than a phrase like “FootballFan”or “LetsGoYankees.”
Start using acronyms
Rather than thinking about entire words or phrases, creating a password that is effectively a long acronym will make a complex sequence of what look like unrelated or randomly–placed words, but make them relatively easy to remember.
For example, (WtNhCaTlidaTmItOlWs2691) is a 20+ character password that includes upper and lower case letters, numbers, and special characters.
Impossible to remember, right? Well, what If I told you that it was simply the first letter of every word from the first verse of Ben E. King’s hit song Stand By Me, simply with alternating capitals, plus the year that the song was written reversed and a pair of parentheses?
If you can easily recite even singular verses of songs, you’ll have a goldmine of acronym-based codes you can use to complicate and lengthen your passwords, and you might even be able to learn them quickly off-by-heart.
Embrace special characters
Often, when people create passwords, they’re fine using letters and numbers – but they avoid special characters because they’re harder to remember.
A good password idea to follow is to embrace special characters. As you can see from the lists of bad password examples above, many don’t have any special characters icnluded within them at all.
For example, why not put your entire password in parentheses like the example password referenced above, or use a dollar sign before the sequence of numbers you’re including? After you do it once, it’ll come a lot more naturally.
Create a secret keyboard code
An easy way to remember a really complicated password is to create a keyboard code for yourself. This sounds complicated at first, but it’s actually really easy to do.
For example, you could take a weak password or memorable phrase – such as ILoveTheChicagoCubs1876 – but instead use the letter that is a key below each character in your initial, simple password/phrase, and numbers that are one to the right of any number
In this example, the simplistic ILoveTheChicagoCubs1876 becomes the much more secure K.l dGnk zbl j x2987, which is naturally harder to crack thanks to its use of spaces and a random number rather than a connected one (1876 is the year the Cubs were founded).
We’d still recommend inserting some special characters into the password example we’ve used above to make it more secure, but you see what we’re getting at here.
Be original
Along with following password best practices, one of the easiest ways to make your password secure is to think creatively. Chances are, you’ve seen a fair few passwords in your life (and probably read several articles like this one), so you’ll have some sort of idea of sequences of characters commonly used in passwords (e.g. “123”) and those that aren’t (e.g. “@;)@”).
For example, how many weak passwords have you seen that have spaces in them? Underscores and asterisks are similarly underused, as are other seldom-used punctuation/character options.
How Complex and Long Should My Password Be?
A lot of people think that you can get away with passwords that are 8 characters long and that passwords of this length are secure. However, it wouldn’t take long for a hacker to crack a password of this length. Here are the four golden rules you must implement:
- Passwords should be a minimum of 12 characters (not words) long
- Passwords should include letters, numbers, and special characters/symbols
- Passwords should include upper and lowercase letters
- Passwords must not be re-used across different websites
At present, making use of a reliable password manager like OnePass is one of the best ways to store long, complex passwords for your accounts. However, the rise of Passkeys — which are more secure than passwords — may spell the end for password managers and passwords themselves.
Why You Should Use Passkeys, Not Passwords
Passwords have been around for decades now – but times are changing. Passkeys are now considered much safer than passwords, because they harness biometric data and PIN codes to ensure you’ll need either a target’s device or the person themselves to log into any given account, rather than a simple phrase that can be guessed from the other side of the world.
Passkeys are now the default sign-in option on Google and the company has launched a hardware key called “Titan”, Apple is also rolling them out across their products, and Amazon also made the move to launch passkeys last year.
Passkeys don’t put as much onus on the account holder to remember long, complex passwords, and they make the entire sign-in process more seamless. Overall, passkeys are an extremely promising alternative to passwords – and one day, they might replace them altogether. Although this is unlikely to happen in the next five years – we are creatures of habit, after all – expect to see some significant shifts sooner than that.
That being said, passwords aren’t going to vanish overnight, so being aware of and implementing the best practices is still incredibly important. Remember to avoid the passwords found to be the most commonly used by mymxdata.com — using them is a one-way ticket to getting hacked.
