Hackers launch 87,671 attacks EVERY day — if your password is on this list, you're in serious trouble

a mouse cursor moves over the Login box as someone has typed in a password into the text field

All products are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more

Aaron Brown

By Aaron Brown

Published: 02/05/2024

- 10:32

Updated: 02/05/2024

- 10:34

Stop relying on "123456" and other weak passwords, researchers warn

  • Hackers attempted to crack passwords 32 million times in 2023
  • That equates to 87,671 attempts every day, Kaspersky data shows
  • It highlights the importance of online security on World Password Day
  • Weak passwords still dominate most common passwords of last year
  • Millions still rely on "123456", "P@ssword" and "admin" to lock accounts
  • Always use a unique password for each online account, researchers warn
  • Password managers of passkeys can be a way to protect your data online

Your passwords are under attack every day. According to research from cyber security firm Kaspersky, there were 32 million attempted attacks on passwords last year.

That equates to an astonishing 87,671 each day.

Weak passwords remain an attractive target for scammers as cracking them unlocking a treasure-trove of sensitive data, including personal data, payment details, and medical records.

Kaspersky used telemetry data to track the 32 million attempts to break into password-protected accounts. That's a slight decrease from the 40 million attempts tracked by Kaspersky throughout 2022.

If you're unsure whether the password you're relying on to secure your online accounts is strong enough, make sure it's not featured in the list below.

The list of the most common passwords of last year was published by the team at NordPass – the password management software developed by the same minds as NordVPN – to highlight the lacklustre phrases used to protect sensitive data online.

According to the data, first published at the end of last year, "123456" remains in first place as the most commonly used password.

This uncreative password was used a staggering 4.5 million times by users online, researchers from NordPass revealed, with the word "admin" a close second with 4 million uses worldwide.

Numerical sequences crop up throughout the most common password list, with "123456", "12345678", "123456789", and "1234" all making it into the top five. In fact, one-third of the top 10 consists of numbers alone.

Hackers can break into accounts secured by passwords like "123456" and "admin" in under a second, researchers at NordPass confirmed. If you have any online accounts protected with one of these passwords, then it's time to change to something new – and much more secure.


To commemorate World Password Day here (May 2, 2024), we've published the full list from NordPass below, so you can check whether your accounts are being protected by an easily-guessed password. If your password is featured anywhere on the list below, change it now.

Top 10 Most Common Passwords In 2023

  1. 123456 (used 4,524,867 times)
  2. admin (used 4,008,850 times)
  3. 12345678 (used 1,371,152 times)
  4. 123456789 (used 1,213,047 times)
  5. 1234 (used 969,811 times)
  6. 12345 (used 728,414 times)
  7. password (used 710,321 times)
  8. 123 (used 528,086 times)
  9. Aa123456 (used 319,725 times)
  10. 1234567890 (used 302,709 times)
To compile the list, they scoured a database of 4.3TB (that's a whopping 4,300,000MB) extracted from a number of high-profile password leaks on the Dark Web to find the passwords that people relied on more than any others. NordPass only received statistical information from the researchers, there was no personal data included in the findings sent to the password management team.

It comes as a new study from the Institution of Engineering and Technology (IET) to mark World Password Day on Thursday found that 20% of the public were also using the same password for multiple websites and devices, with many using pet names or a significant date — all practices discouraged by cybersecurity experts.

This approach is despite 65% saying they are scared of being hacked in the future, and 84% saying they believe hackers are becoming more inventive.

The IET said it had published its research, which included a survey of 2,000 people aged 16 and over in the UK, to help raise awareness about the need for strong passwords.

The study highlighted what it said were misconceptions about password safety among the public, with 38% of people believing that replacing letters with numbers is more secure when it comes to a password, with a further 45% thinking it makes them harder to guess, which the IET said is not the case.

In its study, only 20% correctly said that using three random words was a more secure form of password.

Dr Junade Ali, cybersecurity expert and IET fellow, said: “In our evolving online world, having strong passwords is more important than ever as hackers are targeting multiple accounts of victims due to weak and predictable passwords. The IET’s research shows that 65% of people think passwords should never be written down, and 77% think changing passwords frequently makes them more secure, despite expert advice recommending otherwise.

“If you use the same password for every website and the password is breached from one site, all sites can be compromised without the attacker needing to try any other passwords – this is known as credential stuffing. However, there are some easy and simple ways to strengthen your defences against cyber threats.”

According to the research team at NordPass, people tend to rely on the weakest passwords for their streaming services, like Netflix, Disney+, and Prime Video, reserving their strongest passwords for online banking.

Commonly used passwords for streamers included the cringe-inducing "Netflix", "netflix123", "disney123", and "disney2020". While researchers found people typically reserved their best passwords for financial accounts, weaker options like "visavisa1" and "paypal123" still regularly crop up.

This is a pattern that comes up time and time again. NordPass found that different platforms influence password habits, with the fourth most common password used to secure accounts on Amazon being (surprise, surprise) "amazon".

Some websites have strict conditions for passwords, forcing account holders to use at least one letter, number, and special characters. These conditions have pushed passwords like "P@ssw0rd" into the top 30 passwords worldwide, but unfortunately, it's done little to make users' data safer. According to NordPass, "P@ssw0rd" can be unlocked by hackers in under one second.

a screenshot of a password manager showing the list of account login details

Password managers, like 1Password (pictured), can manage lengthy, unique alpha-numeric passwords for every online account and monitor the Dark Web for breaches and hacks


Tomas Smalakys, NordPass Chief Technology Officer said: "With the terrifying risks password users encounter, alternative methods in online authentication are now essential.

"Passkey technology, considered the most promising innovation to replace passwords, is successfully paving its way, gaining trust among individuals and progressive companies worldwide. Being among the first password managers to offer this technology, we see people are curious to test new things, as long as this helps eliminate the hassle of passwords."

So, what should you do? NordPass recommends creating a strong password with at least 20 characters and a mixture of upper- and lower-case characters, numbers, and special characters. Personal information that could be easily guessed by those who know you – like birthdays, pet names, and hometowns – should be avoided. Always create a unique password for every online account, NordPass says.

If you're struggling to think of something, using the first letter from each word in a line of poetry, a saying, or a song lyric that you're unlikely to forget can be a great way to quickly generate what appears to be a completely random jumble of characters.


Password managers are also a popular way of securing your online account. These applications generate secure passwords for every account, with these stored in an encrypted safe that can be accessed from any of your devices. To login, most of these applications only require a quick biometric check – facial recognition on the iPhone or a fingerprint scan on Windows PCs and Android.

NordPass is one option available alongside the likes of LastPass and 1Password.

Google and Apple both offer built-in password managers with their most popular products, dubbed Google Password Manager and iCloud Keychain respectively, that generate and store passwords.

Online accounts are increasingly turning to passkeys as a way to let users sign-in to apps and sites the same way they unlock their devices – using a fingerprint, a face, or an on-screen PIN.

Unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than one-time codes sent via SMS. Microsoft, Google, Apple and the FIDO Alliance are working together to bring passkeys to the web as an industry standard.

WhatsApp, the world's most popular messaging service, recently added support for passkey login on iPhone, following in the footsteps of Elon Musk's X, formerly Twitter, which enabled the feature earlier this year.

Although there are high hopes for passkeys, with Google even calling its rollout "the beginning of the end of the password", they're unlikely to eliminate old-fashioned passwords for some time. For the time being, we're still stuck with passwords for a huge number of our online accounts ...as such, it's time to ditch "password123" and think of something a little stronger.

You may like