Which password gets hacked more than any other password in the US?
What about in Germany?
This report summarizes the findings of the SafetyDetectives research team who collected over 18 million passwords to find the 20 most used, most predictable, and ultimately most hacked passwords all over the world.
The data used in this report was gathered from several years’ worth of leaks found on hacking forums, marketplaces, and dark web sites — usually sold as treasure troves of sensitive information for criminals. (Note: We only analyzed the data — no identifying information like usernames or banking details were compromised while conducting this research.)
Our goal was not to simply put together another “most used/hacked passwords” list. Instead, we wanted to see if there were any obvious patterns occurring around the world which would cause hackers easier access to user information, regardless of language or location.
Non-English speaking countries are often underrepresented in cybersecurity research, but non-English speakers are still vulnerable to cyber crime. It’s important to stay protected on the internet no matter where you live or what language you speak. And it all starts with a password manager (such as Dashlane) and an antivirus (Norton, Malwarebytes, and Bitdefender are some of our top recommendations).
Over 18 Million Passwords Analyzed
We collected and analyzed a total of 18,419,945 passwords.
Around 9 million passwords were from the general population:
- From various worldwide databases, we collected 9,056,593 passwords
- Note that there’s some overlap with other populations.
- From hacked .edu users, we collected 328,000 passwords.
The remaining 9 million passwords were country-specific:
- Germany — 783,756
- France — 446,613
- Russia — 5,614,947
- Italy — 49,622
- Spain — 459,665
- USA — 1,680,749
We looked at this from a lot of different angles to identify the weakest and most insecure passwords in the world.
For each population, we identified:
- The top 20 most used passwords (and the top 30 overall).
- The most popular password patterns.
- Specific cultural references to that population.
We also looked at:
- How names found in email addresses are used in passwords. We specifically looked at the use of first names in “[first_name].[last_name]@[email_provider].com” and address names in “[address_name]@[email_provider].com”.
- How these common passwords compare to the “Hacker’s List” – the list of passwords that are most often used by security researchers for dictionary attacks. (“Dictionary attacks” refers to trying many different common passwords until the right one is guessed.)
Note: Many of the passwords analyzed in this report would not be allowed to be used by sites that have password strength checks in place.
Top 30 Most Used Passwords in the World
General Password Trends in the World
- The word “password” and its slight variations (e.g. “password1”) are very popular.
- Common words and phrases (“letmein”, “iloveyou”, “princess”, “superman”, etc.) are also widely used.
- Keyboard patterns remain popular — 25% of the top 30 most common passwords are keyboard patterns. “qwerty” is the most used one by far, but diagonal keyboard pattern variations like “1q2w3e4r” and “zaq12wsx” are also well represented.
Numbers are the Most Common Password Pattern
Numeric patterns are worldwide favorites when it comes to creating a weak, easy-to-guess password. Increasing (e.g. 123456) or repetitive (e.g. 111111) numeric patterns could be observed in 8 out of the top 10 and 13 out of the top 30 most used passwords.
Analyzing passwords by country, we notice a few more things:
- The word “hello” is a popular password choice everywhere (in their respective languages), present in the top 20 password lists of nearly all countries we analyzed.
- The soccer-loving nations of Italy and Spain both have names of prominent soccer teams in the top 10 of their most common passwords.
- German and Spanish users favor numeric patterns.
- Russian users more often choose keyboard patterns for passwords than other countries.
Germany – Top 20 Most Used Passwords
The most common password pattern: German users show a preference for simple, easy-to-guess increasing numeric passwords, starting with “123” and going all the way to “1234567890”. Such passwords constitute nearly 50% of the German top 20 list.
Other password trends: The word “passwort” (“password”) and “hallo” (“hello”) are popular choices, and so are keyboard patterns using the German keyboard layout (e.g. “qwertz”).
France – Top 20 Most Used Passwords
The most common password pattern: While the French version of “qwerty” – “azerty” – is number one, common French words and phrases requiring little to no translation – like “marseille”, “bonjour”, “jetaime”, “soleil”, or “chocolat” – are also very popular.
Other password trends: Increasing numeric patterns are notably less popular with French users than with the worldwide population. Only 3 out of the top 20 French passwords are numeric. This can likely be explained due to French keyboards requiring users to press “Shift + number” instead of only the number.
Russia – Top 20 Most Used Passwords
The most common password pattern: All of the top 20 Russian passwords are numbers and patterns, and many of them are different from worldwide trends. Russian users often choose diagonal keyboard patterns involving numbers and alphanumeric characters – for example, “1qaz2wsx” or “1q2w3e4r”.
Other password trends: Russian users are the least likely of the populations we analyzed to use meaningful words – in Russian or English – as passwords.
Italy – Top 20 Most Used Passwords
The most common password pattern: The first names like “francesco”, “alessandro”, or “guiseppe” are the most popular password choices for Italian users. Such passwords are particularly insecure and easy to guess when used in combination with an email mentioning the same first name – for example, [first_name]@[email_provider].com. Unfortunately, this practice is still very common.
Other password trends: This soccer-crazy nation has “juventus” as the #3 top password choice.
US – Top 20 Most Used Passwords
The most common password pattern: US users are equally likely to use an increasing numeric pattern, keyboard pattern, or a common word or phrase as a password.
Other password trends: 25% of the US’s top 20 passwords contain “qwerty” as an exact or partial match.
Spain – Top 20 Most Used Passwords
The most common password pattern: Spanish users show a preference for numeric patterns like German users do.
Other password trends: Out of the 5 common words in the top 20 list, 2 are the names of famous Spanish soccer teams (“barcelona” and “realmadrid”).
Top 20 Most Used Passwords for .edu Users
Students and faculty at university don’t typically regard their .edu email addresses as important, so they tend to create easy-to-guess passwords.
The 20 most common .edu passwords are:
The most common password pattern: Educational domain users are likely to choose common passwords – these passwords constitute 60% of the overall top 30 list.
Other password trends: .edu users often pick names of sports for their insecure passwords, and they are more likely to do so than any other category of users analyzed in this report. The increasing numeric passwords they use tend to be short – 6 out of the 8 numeric patterns on the list are under 8 characters long.
Analysis: The Most Used Word Patterns in Passwords
This section summarizes our analysis of commonly used word patterns within passwords. Numeric sequences (such as “123456” etc.) are excluded from this section’s analysis. (Note: We include numeric patterns in our analysis later on.)
- The word “password” was the most popular choice with worldwide users, as well as with .edu users and the US population. Its variations in other languages, such as “passwort” (German) or “motdepasse” (French), were also found in the top 20 for their respective country.
- Also popular worldwide and across many countries are words like “angel”, “dragon”, and “superman” which are culturally relevant to a broad category of users.
- Most European users (particularly Italian and Spanish) prefer using first names as passwords.
- Russian users differ from the other populations in our study. They prefer keyboard patterns over meaningful words, even when using alphanumeric characters as passwords.
First Names in Passwords
The use of first names inside passwords is very common, especially first names that are included in email addresses — 4.19% of worldwide users do this. Italians (4.13%), Russians (3.79%), and Germans (2.51%) are the global populations most likely to use these extremely easy-to-hack passwords.
First Names + 123 Patterns in Passwords
A “123” pattern added either before or after the email address’s first name was observed in about 0.03% of the worldwide population’s passwords. While adding random numeric patterns to passwords is a great strategy, this simple pattern is far too common, making these kinds of passwords very easy for hackers to guess.
Famous People, Brands & Pop Culture Figures in Passwords
In our analysis of 9.3 million users worldwide, we frequently found pop culture and historic figures used either as part of a password or an exact match.
Not surprisingly, we found that cultural references influenced password choices quite heavily.
“Christ” and “Jesus” led the way with 7,432 and 7,414 respective mentions in passwords.
Three brands – “Google” (7,057 mentions), “Apple” (6,240), and “Samsung” (2,866) – also made it to the top 10.
The popular TV series “Friends” was another top choice with 4,289 mentions, while “Starwars” was used 2,237 times.
The popular sports figure “Ronaldo” was at the 10th spot with 1,265 mentions.
Hacker’s Top 10 Most Used Passwords List Explained
To put the findings of our report into perspective, we compared them with the top 10 list of the most used passwords that hackers and security researchers use when testing login security.
We used the following resources to create the Hacker’s Top 10 most used passwords list:
- John The Ripper (password cracking program)
- NMAP (network discovery tool)
- Security researchers’ most used passwords lists (sourced from Github)
- Honeypot credentials from real world attacks (sourced from Github)
Hacker’s Top 10 List of Most Used Passwords
This comparison shows that, overall, the most insecure passwords to use across all countries and populations are “123456” and “12345678” – two of the most obvious, easiest-to-guess numeric patterns which meet the minimum 6 to 8 character password length requirement that most web sites have.
“123456” is #1 on the Hacker’s List for a reason – this password is THE most popular one worldwide (0.62% of 9.3M passwords analyzed). It also holds the:
- #1 spot for .edu, Germany, Italy, and Spain users.
- #2 spot for USA and Russia users.
- #4 spot for France users.
Match Between Countries’ Top 10 and Hacker’s Top 10
Here’s how the 10 most common passwords in various populations matched the Hacker’s Top 10 list:
- Worldwide – 80% match
- USA, Spain – 50%
- Italy, Russia – 33%
- Germany – 25%
- France – 10%
The overall password trends analyzed from worldwide users match up pretty well with this list, making the most used passwords in the world extremely prone to dictionary attacks. Those users in the US and Spain with these passwords are also extremely susceptible to hacks.
Additional Insights on Worldwide Password Trends
- The Italian and US populations are the ones most likely to use first names and/or other words that are part of their email credentials in their passwords. Overall, up to 4% of users worldwide do this.
- The Russian population uses keyboard patterns and numbers for their passwords more often than other populations we analyzed.
- The phrase “iloveyou” in local languages is a popular choice for passwords.
- Passwords like “111111”, “000000”, or “27653” (possibly spelling “broke” on the phone dialing pad) are more likely to be chosen when the user accesses a mobile site or an app from their phone.
How to Improve Password Strength
With hacking rates on the rise in 2020, most people become victims because they don’t create passwords that are unique, hard to guess, and secure. And that makes sense. Without a password manager, it’s impossible to remember hundreds of unique, challenging passwords for every single login.
5 tips for improving password strength:
- Don’t reuse passwords on any account.
- Use a password that is longer than 8 characters.
- Don’t include any words in your email address as part of your password.
- Always include numbers, capital letters, and special characters in passwords. But many passwords start with a capital letter and end with a number (often the current year). Don’t follow that pattern.
- Don’t include common names, common cities, or common cultural references.
Bonus tip: You can check your password strength using SafetyDetectives’s password strength analyzer.
The best and easiest way to achieve all of these things is by using a password management system. A good password manager will create secure passwords for all of your accounts, autofill them when logging in, and have high levels of encryption so no one can steal your information. We recommend a low-cost premium password manager like Dashlane, but any of the best password managers on the market will guarantee your passwords are strong, secure, and protected.