Hackers heavily target simple, predictable passwords like "123456," "password," "123456789," and "qwerty," as they're easy for automated tools to crack instantly, but also common words, names (like "admin," "eva"), and simple number sequences are frequently used, often linked to usernames. Common weak patterns involve sequential numbers, keyboard layouts, or repeating characters, making them extremely vulnerable to brute-force attacks.
Quantity
Key takeaways. The most common password patterns are just a series of numbers: 123456, 123456789, and 12345678. People are more likely to choose an easy-to-remember password over a more secure one.
The "8 4 Rule" for strong passwords is a guideline requiring a minimum length of 8 characters (the "8") and the inclusion of 4 different character types (the "4"): at least one lowercase letter, one uppercase letter, one number, and one special symbol, creating a complex, hard-to-guess password. While once a standard, modern advice often emphasizes length and passphrase-style passwords over strict complexity rules for better usability, though the principles of mixed character types remain important.
Three random words generate a password that is not only long enough to thwart brute force attacks but also complex enough to resist common guessing techniques.
– that 8675309 is the fourth most commonly used 7-digit password. (If you're wondering the “no surpise” most popular 7-digit password is 1234567.)
Human brains were responsible for choosing passwords like "123456", "password," and "qwerty." But there is no way that 91,103 people independently chose to secure their accounts with "18atcskd2w." Instead, what I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam ...
A strong password is: At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
“Cucumbers are tasty” -> “dvdvncfst bsf ubtuz”
Another clever way of creating strong passwords is to turn song lyrics into acronyms. This means using only the first letter of each line of your favorite song. So, “Shine on you crazy diamond” by Pink Floyd becomes “rsnsybccystswrcc.”
Many of the stolen passwords were embarrassingly simple. Variations of “password123,” “123456,” and “linkedin” (creative, right?) were found everywhere. This breach wasn't just an inconvenience—it was a gateway for hackers to access other accounts, since many users reused the same password across multiple platforms.
A strong password follows ALL THREE of these tips.
Most hackable passwords
Second came “123456” followed by the slightly longer “123456789.” Rounding out the top five were “guest” and “qwerty.” Most of those log-ins can be cracked in less than a second.
While there are multiple ways that threat actors crack passwords, here are a few of the most common:
Brute Force Attack
Use a complex password. The difference between an all-lowercase, all-alphabetic, six-digit password and a mixed case, mixed-character, ten-digit password is enormous. As your password's complexity increases, the chance of a successful brute force attack decreases.
10 common passwords include 123456, 123456789, 1234567890, 12345678, password, qwerty, qwerty123, 111111, 000000, and iloveyou.
More than 90% of successful cyber-attacks start with a phishing email.
The term 'pwned” comes from video game slang and is a leetspeak variant of the word 'owned'. It originated from a typing mistake (typing 'p' instead of 'o') and came to signify that someone has been defeated. In security terms, if your account was 'pwned', it means it was involved in a data breach.
Along the line of poor passwords include your kids' names, birthdays, your current street name and your pets names…all of which is information others can easily access.
A Password is a word, phrase, or string of characters intended to differentiate an authorized user or process, for the purpose of permitting access (such as via logging in) from an unauthorized user. Defined another way, a password is used to prove one's identity, or authorize access to a resource.
The Least Common PINs
According to the same data, the least commonly used 4-digit PIN is 8068, with just 25 occurrences out of the 3.4 million passwords examined — a minuscule 0.000744% frequency . The 10 least popular 4-digit PINs found in the study's dataset, starting with the least common, are: 8068. 8093.
A password shouldn't contain any consecutive letters or numbers (i.e. ABCD, 1234, etc.) A password shouldn't be the word “password” or the same letter or number repeated.
Because our normal number base is 10, so that is all we need. These symbols, known as “Arabic numerals” were adopted from India and the Middle East to replace the Roman numeral system, IVXLCDM, which was non-positional, lacked zero, and had only 7 numeral symbols borrowed from the alphabet.