According to NordPass’ most used passwords list, the United States had more than 1.6 billion passwords leaked 2021; that’s an average of 5 leaked passwords per person. Among those passwords compromised last year, most took less than one second to crack.
The 10 most common passwords of 2021 are:
Other interesting standouts from this year’s report include:
Onedirection ranked highest in several countries, rebounding from a dip in popularity in 2020.
Swear words were popular, especially with male users.
No surprise to football fans, Liverpool was one of the most popular passwords worldwide.
See your password (or part of one) on the list? Whether you were compromised in 2021, or your accounts are holding strong, the new year is a great time for a password refresh. Here’s how to create a stronger password to keep all your accounts safe in 2022.
Create complex passwords
The longer and more varied your passwords, the better. A good rule of thumb for personal account passwords is to stay between 8-15 characters. For business accounts, you’ll want to create passwords between 12-20 characters. As the number of characters increases, so do the number of combinations a hacker needs to scan to crack the code.
Another way to increase the time and effort needed to crack your password is to include numbers, symbols and alternating upper and lowercase letters and NEVER use sequential number, letter or keyboard combinations or the word “password” for any of your accounts.
Common phrases (including swear words) have become some of the most popular, and most cracked, passwords in recent years. Avoid using simple phrases like “iloveyou” or “f*ckyou” as passwords, and incorporate more variety cases, length, and symbols instead.
Never reuse passwords
We know that creating new passwords for each account can seem like overkill, but this practice can protect you from having to update every login if your email address or password for one account gets hacked. If a new password for every account is too much, you should at least use a new password for each type of account; one for social media, one for banking, one for healthcare logins, etc.
Never share passwords between personal and business accounts, and never reuse passwords for things like social media and banking. While this trick increases security a little, creating unique passwords and using tricks to make them more memorable will always be the safest option. Never use names and personal info for passwords.
Whether you realize it or not, public records like your name, birth date, addresses, and family information are all accessible through a relatively simple internet search. So, it’s a good idea to avoid using things like your name, pet names, family member names, your birthday, or any other easily identifiable information as part of your password.
If a hacker is targeting you for an attack, they're going to use all information at their disposal to crack your password. Many of the quizzes or "get to know me" trends on social media can reveal answers to common security questions used to protect your accounts. It’s important to be mindful of the personal information you share online, even on private accounts.
Use patterns to remember your passwords
Patterns and memorable phrases are a great way to remember your unique account passwords. One trick is looking to things like movies or literature to help create a more memorable password. For example, 'To be, or not to be that is the question'. Using the tips we know about character count and variety, we could translate this into a strong password:
While this is a common phrase, including multiple words, symbols, numbers and alternating upper and lowercase characters makes the password harder to crack.
Another strategy combines odd, unrelated words to create a password with personal meaning. This could be historical figures, a favorite hometown business, landmarks or even words in other languages. The less association between them, the better. For example:
Selecting words that conjure a certain style or mental image will make them easier to remember.
However, if an actual sentence seems more manageable, you can also create a secure password from a seemingly random phrase. For instance, "I Make Eggs on Sunny Mondays" becomes:
Change passwords regularly
For business accounts, you should be changing your password every 90 days. For personal accounts, you can add time between changes to every 6 months. Try adding a recurring reminder to your phone or calendar to remind you when it’s time for a refresh.
Regularly checks for your emails and passwords in any known data breaches can help you stay one step ahead of hackers. Tools like Mozilla's Firefox Monitor will search your email address against public data breaches and notify you if any accounts tied to your email address have been compromised.
Use two-factor authentication
Two-factor authentication (sometimes called 2FA) is an extra security measure requiring you to enter additional information (usually a code or PIN number) before logging into an account. With 2FA, anyone with your password will still need access to your cell phone number or email address to gain access to your account. Many apps and websites utilize text messaging to send 2FA codes, but this method can still leave you vulnerable to attacks.
The safest way to receive two-factor authentication codes is to use a third-party app like Microsoft Authenticator. As a bonus, you'll have the option to register your trusted devices, preventing you from having to enter a code every time you sign in on that device. Make sure to only select this option on your personal devices—not shared computers or devices belonging to your employers.
Use a password manager to keep track
If these tricks don’t give you the confidence to remember your passwords, a password manager can help you keep track by storing all your passwords in one place. Popular browsers like Chrome and Firefox will offer free password managers tied to another password-protected account. But that’s not to say your passwords are 100% safe. Premium third-party password keepers offer a higher level of security than those of your favorite web browser.
(Check out PC Mag’s list of recommended password managers here)
Remember, if your password manager’s “master password” is cracked, all your accounts become compromised. We recommend taking extra precautions to create the strongest possible password for these accounts:
Using a minimum of 15-20 characters
Using alternating letter cases, numbers and at least 2 symbols
Not reusing any words, letter patterns, or numbers or symbols from other passwords
Changing your master password regularly (every 3-6 months)