Basic password hygiene is still awful, so maybe it is time to go passwordless

A close up of a finger hovering over the 2 key on a laptop keyboard
(Image credit: Getty Images)

Chronically poor password hygiene is leaving millions of users globally at the mercy of threat actors, according to new research from NordPass.

NordPass’ new report on the ‘Top 200 Most Common Passwords’ reveals the general level of password security remains alarmingly poor, with over four million people using ‘admin’ as their password.

Every one of the top ten most used passwords on NordPass’ list is estimated to take less than one second for threat actors to crack, with only 35 entries on the list taking longer than seconds before hackers can crack them. 

Among the top ranking-passwords were variations on ‘1234’, with six of the top ten solely using sequential numbers.

‘123456’ took the top spot overall with a count of over 4 and a half million uses. Another notable member of the top ten was ‘password’ occurring 710,321 times in the database evaluated by NordPass.

NordPass’ list was compiled in partnership with independent security researchers. Together they evaluated a 4.3TB database taken from publicly available sources, including information on the dark web.

The partnership also analyzed a 6.3TB database of passwords stolen by a number of the leading stealer malware, including Redline, Vidar, Taurus, Raccoon, Azorult, and Cryptobot.

NordPass said the findings are highly concerning given that basic password hygiene is typically the first line of an organization's cyber defense. 

Simply adding letters and special characters can significantly increase the health of a password, and the fact users are not even taking this step demonstrates a stark naivety amongst the general population concerning cyber security.

Earlier in 2023, UK-based password security specialist, Authlogics revealed that its Password Breach Database exceeded a landmark number of five billion in March. 

The fact the world’s largest repository of compromised credentials hit a new landmark is “not a good news story”, Authlogics founder Steven Hope told ITPro at the time.


A whitepaper from CDW on how Windows 11 Pro devices can improve security and drive business opportunities

(Image credit: CDW | Microsoft)

Grow your business with the right security solution and stop worrying about increasing your attack surface. 


“Just one of these records has the potential to cause harm and it should be assumed that if we have been able to source the information, those with nefarious ambitions have done so too,” he added.

NordPass' findings closely align with recent research that found an alarming number of IT administrators still use 'admin' as their default password.

Analysis of over 1.8 million admin credentials by Outpost24 found that basic default passwords were used frequently by IT staff. Highly predictable terms were also used tens of thousands of times.

Are passwords part of the problem?

The growing risks associated with using passwords as a security layer have prompted some to call for their replacement

Andrew Shikiar, executive director & CMO of FIDO Alliance backed a transition to using passkey validation methods, which typically require biometric technologies such as facial or fingerprint recognition, or using local PINs to login. 

“NordPass’ research is yet another example of how passwords are long past their expiration date – users continue to depend on incredibly weak passwords.” Shikiar said.

“Credential managers, such as NordPass, are an effective way for users to improve their password hygiene and will also play a critical role in helping consumers and businesses manage the transition towards passkeys, a true password replacement featuring robust security and usability.”

Google has already done exactly that, shifting towards passwordless authentication with its announcement users could use passkeys on personal Google accounts in May 2023.

This was the latest movement by a major player towards passkey, with Apple and Microsoft already committing to the FIDO Alliance and World Wide Web Consortium’s passwordless sign-in standard in May 2022. 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.