Passwords are a pain and with biometric logins, passkeys and other two factor authentication methods should be a thing of the past. In reality, though, a lot of systems still use username and password as the only security measure  and users choose almost ridiculously easy to guess passwords.

The most used passwords are "123456" and "secret"

The security company Nordpass just released the sixth edition of their annual passwords insights. They reviewed 2.5 Terabytes of data extracted from various publicly available sources. These were passwords and email data dumps of malware or exposed in data leaks. Here are the first 20 most used passwords and how often they showed up in the dataset.

1. 123456 (3,018,050)
2. 123456789 (1,625,135)
3. 12345678 (884,740)
4. password (692,151)
5. qwerty123 (642,638)
6. qwerty1 (583,630)
7. 111111 (459,730)
8. 12345 (395,573)
9. secret (363,491)
10. 123123 (351,576)
11. 1234567890 (324,349)
12. 1234567 (307,719)
13. 000000 (250,043)
14. qwerty (244,879)
15. abc123 (217,230)
16. password1 (211,932)
17. iloveyou (197,880)
18. 11111111 (195,237)
19. dragon (144,670)
20. monkey (139,150)

Password differences across 44 different countries

The research shows passwords from 44 different countries and it is interesting to see how local language and keyboard layout play a part. So, for example the "querty", which is the US keyboard layout is beaten by "azerty" in France. Strangely enough, the German dataset doesn't have "quertz", though. Finland is the first with a swearword in 5th place. Weirdly enough, none of the countries with a different alphabet and "native special characters" like umlauts use any of them in the top 20.

No mix of upper and lower case, no mixing and no special characters

Remember, "beefstew" is not a good password, it is not "Str0g4|\|ofF".

Most of the passwords only use lowercase letters and numbers in succession. The first password to alternate the order of letters and numbers is "zag12wsx" in 30th place. The first one to mix cases is "Password" in 26th place. The first "special character" to show up is ! at the end of the word in 46th place.

Corporate passwords are not more secure

In most cases, the data also contained emails, which allowed the researchers to distinguish between personal and corporate emails. However, when it comes to the insecurity and simplicity of passwords, there was not much difference.

Why do people choose weak passwords?

One of the biggest reasons for weak passwords is frustration. It is hard to remember passwords and resetting them can be a pain. Old login systems often also have no rules you need to follow to create stronger passwords and don't even allow for special characters or non-latin letters. We have to do better as developers to make it easier for people not to shoot themselves in the foot. At the same time, you don't want to be too strict, as limiting what people can do is as frustrating.

For example, the London airport train offers free wifi and asks you to sign up. The ruleset of the password was the following:

That's making it worse for everyone involved. The not allowing for Ampersands looks like they had been bitten by XSS injections before. Don't make your own problems the ones of your users.

But, people are people and will surprise you. I remember once demanding  a Capital, two numbers, a five letter word and two special characters and found "LondonTwoFivePantsPaddingtonCatweazle" in my logs.

What are alternatives?

Most people these days use password managers to work around the problem. In essence, if you can remember your password, it is easy for an attacker to guess, so we either need to have hard passwords we keep forgetting or we need to find other ways to prevent access, including biometrics and passkeys.

Learn more

Here are some sessions from the WeAreDevelopers World Congress and LIVE days that deal with passwords and login systems:

• Paweł Łukaszuk - Passwordless Web 1.5
• Clemens Hübner - Passwordless future: WebAuthn and Passkeys in practice
• Yedidya Schwartz - Accelerating Authentication Architecture: Taking Passwordless to the Next Level
• Alvaro Navarro - No More Post-its: Boost your login security with APIs