Summary:
KnownHost recently conducted a study to examine the most commonly used passwords and the likelihood of these passwords being hacked based on the frequency of their appearance in recorded data breaches. The study focused on the top 200 global passwords (sourced from NordPass) and analyzed their occurrence in breaches from 2007 to 2025 using PwnedPwnedPwned. These passwords, which consist solely of letters and numbers (with no special characters), were categorized as follows: 65.5% were alphanumeric combinations, 23.5% were only letters, and 11% were numeric only. The passwords varied in length from 4 to 15 characters, with eight characters being the most common.

The study revealed that the five most hackable passwords primarily feature a combination of consecutive numbers from 1 to 9. At the top of this list is "123456," which has been been used over 3 million times and involved in more than 50 million breaches. In second place is "123456789," appearing 1.6 million times and linked to over 20.5 million breaches. "1234" ranked third, which KnownHost notes can be easily cracked in under a second. Among letter-based passwords, "password" ranks sixth, used 692,000 times and associated with 11 million breaches. Other noteworthy passwords include "admin" in eighth place and "abc123" in tenth, both of which have been extensively involved in breaches.

Security Officer Comments:
Last year, the National Institute of Standards and Technology (NIST) updated its password security guidelines in NIST Special Publication 800-63B, marking a shift from traditional practices to enhance both cybersecurity and user experience. One key change is NIST’s new stance on password complexity—rather than requiring arbitrary combinations of uppercase letters, numbers, and special characters, the focus now shifts to password length as the primary indicator of strength. NIST recommends a minimum length of 8 characters, with a preference for even longer passphrases, and suggests allowing passwords up to 64 characters. Another notable change is the elimination of mandatory periodic password resets, which NIST argues often lead to weaker, more predictable passwords. Passwords should only be changed when there is evidence of compromise. NIST also recommends checking passwords against lists of commonly used or compromised ones and blocking selections from such lists. Additionally, NIST advises against using password hints or knowledge-based authentication, which can be easily bypassed.

Suggested Corrections:
In addition to adhering to NIST's password security guidelines, organizations should implement multi-factor authentication (MFA) wherever possible, adding an extra layer of security to prevent unauthorized access in the event of a compromised password. It is also crucial that passwords are not reused across different platforms and accounts, as this increases the risk of widespread compromise. Organizations should encourage the use of password managers to help users generate and securely store strong, unique passwords. Furthermore, maintaining blocklists of commonly compromised passwords can help mitigate risks by preventing their use and enhancing overall security.

Link(s):
https://www.knownhost.com/blog/most-hackable-passwords/