123456 and other weak passwords of 2021, surely we can do better

Leonard Sengere Avatar

Several security researchers have released their findings on the most common passwords of 2021. It appears that the message is not getting through because the same weakest of the weak passwords are still the most common. 

Just to make it clear just how terrible they are, Nordpass has gone further and included the time it would take to crack them. See for yourself.

Top 20 passwords of 2021

  1. 123456 
  2. 123456789
  3. 12345
  4. qwerty
  5. password
  6. 12345678
  7. 111111
  8. 123123
  9. 1234567890
  10. 1234567
  11. qwerty123
  12. 000000
  13. 1q2w3e
  14. aa12345678
  15. abc123
  16. password1
  17. 1234
  18. qwertyuiop
  19. 123321
  20. password123

These are all useless, and unfortunately, the whole list up to number 200 is made up of similarly weak ones. Further down the line, we see passwords like ‘thomas’ and many other names. Usually names of children or pets.

So, just how long would it take to crack the 20 most common passwords? 

Less than 1 second for each and every one of them, save for number 14, which takes all of 2 seconds to crack. It’s as good as there is no password to be honest.

Why do we use such weak passwords?

  1. Too many signups – With more of our lives being lived on the internet, we have to sign up to a lot of online platforms and services. The advice we get is to not use the same password for the different platforms and so we are expected to come up with and remember a lot of passwords. Sometimes we are even prohibited from using the password we use for other platforms during the signup process for a new platform. In the end we just end up using number 17 ‘1234’ to get it over with.
  2. We don’t think it’s a big deal – Sometimes when forced to create an account for a service like Quora, one just does the bare minimum. The simplest password you know you won’t forget for a platform where you are not chatting with friends or posting any pictures. If someone were to hack into your Quora account, truth is, you probably wouldn’t care one bit. Hence the nonchalance.
  3. Naivety / Ignorance – sometimes we think it’s quite clever to use something like ‘1q2w3e’. It’s not. The one I use on my internet banking platform is much more clever than that, ‘5edP&%–KL__0@*TRp”. You are not hacking that in 1 second I’ll tell you that. Just kidding, don’t do that, never ever share your password, even with supposed bank officials.
  4. Being forced to change passwords regularly – system admins should note this. When you force us to change passwords every other month, we are going to use simple and weak ones we can remember, as research has shown.

Why it’s a mistake to think that way

Some of the lazy efforts are because we think we just aren’t targets. It’s hard to imagine a skilled team of hackers in Russia trying to get into my Facebook. After all, what would they want with me and the $5.73 in my bank account?

To be honest, most of us just aren’t targets for such hackers. That doesn’t mean we should get complacent. It may not be an international gang of hackers but there are people who would cause havoc for you if they accessed your account. 

How many times have you seen some people you know apologising after they posted lewd pictures on their Facebook? “I was hacked,” is usually the claim. We don’t believe most of them but some of them were indeed ‘hacked’ by people close to them. With weak passwords like the ones above, it is easy for a menace to cause you untold embarrassment.

To consider also is that access to your various accounts helps paint a clearer picture of you. Your family and their names, your pets, your hobbies, what you search for etc. Thus making it a little easier to ‘crack’ the passwords to other more important accounts. Here in Zimbabwe, a lot of people have been blackmailed by hackers who have compromising messages or pictures. So you definitely can be a target too.

Password managers

There are services called password managers and they could help us with this weak protection problem of ours. These managers will create and remember strong passwords for you. That way you could use virtually unhackable passwords for all your accounts. 

All you will have to remember is one, the master password. Since it is just one password you will have to remember, it can be a strong one. That makes for better security.

Password managers are not perfect but if it means ‘password’ won’t be used as a password, we might as well use them. You can check out the best managers here.


What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Scorched earth

    Seems the password password stands strong in the password rankings,lmao.

    1. Leonard Sengere

      😂😂😂😂😂 Indeed.

  2. rodrick

    Even if u put a hundred word password if a hacker wants to hack u they will.

    1. Leonard Sengere

      I guess that’s the other reason I should have put, the ‘it doesn’t matter anyway’ gang. While it is true that if you are personally targeted by professional hackers you’re gonna get hacked, it’s also true that the stronger the password, the harder it is for them to do so. Why make it easier for them? In reality though, it is your 2nd teenage cousin likely to hack you, so…

  3. Two Boy

    I often use one password on most social sites but with the characters, numbers and letters rearranged. I manually back them up.

    1. Leonard Sengere

      That’s one of the things that comes up in research. When we’re forced to come up with long complicated passwords, we end up writing them down somewhere. Thereby risking everything as a hacker getting access to that, gets all our passwords.

  4. Anonymous

    Just try this one in its weakest form

    1. Geraldo

      Missing special characters $*”‘#@!

      1. Anonymous

        In its weakest and simplest form

  5. Pwned No More

    I caught a young shock on haveibeenpwned.com a few years ago. Back then I had 1 core password with a few variants and had about 6 accounts compromised including my trusty secondary email account. Luckily, the only negative outcomes I became aware of were (probably) contact harvesting and a half hearted attempt to steal my twitter account, probably using guesses based on those leaked kiddy-grade passwords. At that point, I just accepted the fact that I had too many accounts for me to safely manage on my own, so i surrendered to two of the trinity, Apple and Google, and let them take the wheel. Those are now the only 2 accounts that i use personally created passwords for (over 20 freakin characters😅), all notifications and practical authentication methods activated. Its not on the level of having my own hardware key, but its way better than adding a few number combinations to the same core password like I used to do!

    1. Leonard Sengere

      It’s crazy that almost all of us resisted password managers for a while. Thinking those tiny variations we all use will do the trick. Once you surrender to the managers, you realise life is a little easier. I am a Google guy myself. I only ever use Chrome on my PC and an android phone so Mr G does it for me. Two factor authentication enabled, I rest a little easier, just a little. I’m not yet at the hardware key paranoid level, my set up works for now.

      1. Imi Vanhu Musadaro

        Password managers can be hacked too, but my main problem with them is the platform tie in. You are now forced to use certain browsers or OSes in most instances.

        With the progression of time, hackers will be concentrating their efforts on compromising these tools because the reward is greater. But, unless you are protecting corporate cloud accounts or high value crypto-wallets, a hardware dongle might be too much.

        1. Leonard Sengere

          That’s what kept me from password managers for a long time. If they hack LastPass then they have access to every single password of mine? That’s a terrifying thought.

          At this point, I’ve surrendered to Google. I’m tied in tight. There’s no escape for me and I’m okay with it for now. The problem for me will come when I see a better platform/ecosystem. I’ll cross that bridge then I guess.

          I agree that hardware keys to protect the spam in my email, or cringey FB posts is overkill.

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed