As easy to hack as 1-2-3

South Africans are making their passwords easier to guess than ever before – despite a constantly rising tide of cybercrime in this country.

This year, the most common password in South Africa is “123456” – and it ranks first worldwide. The next two are as easy to guess – and rising in popularity.

This reckless – and even stupid – approach to protecting credentials is revealed by NordPass in the sixth edition of its annual Top 200 Most Common Passwords research. This year, NordPass also checked how corporate passwords people use to secure work accounts differ from those for personal accounts.

Individual users’ passwords in 2024 — what changed in a year?

Below are the top 20 most common passwords in South Africa. The full list is available here: https://nordpass.com/most-common-passwords-list/

1. 123456
2. password
3. qwerty123
4. Abcd1234
5. 123456789
6. qwerty1
7. 12345
8. 12345678
9. Aa123456
10. qwerty
11. Password
12. Password1
13. 1234
14. 1234567
15. 1234567890
16. P@ssw0rd
17. 123abc
18. password1
19. 123love
20. admin

The sixth time’s definitely the charm but not when investigating people’s personal passwords. NordPass, which partnered with NordStellar to run the study, concludes that this year’s list again includes the worst possible choices for passwords. However, some trends are radically new and worth exploring.
 

• Almost half of the world’s most common passwords this year are made of the easiest keyboard combinations of numbers and letters, for instance “qwerty,” “1q2w3e4r5t,” and “123456789.” South Africa is no exception here, with such passwords leading the list.
   
• In South Africa, “123456” holds the top spot as the most popular password, aligning with a global trend where this simple sequence remains the go-to choice in many countries.
   
• With experts repeatedly urging internet users to make their passwords stronger, many seem to have misunderstood the assignment. The popularity of “qwerty” has been challenged by similarly weak “qwerty123,” which is now the most common password in Canada, Lithuania, the Netherlands, Finland, and Norway. In South Africa, this password also made a huge jump this year, reaching the top three.
   
• The word “password” can now be considered one of the most common and enduring passwords. Year after year, it ranks at the top of every country’s list. In South Africa, it is the third most-used password. For the British and Australians, it is the number one choice.
   
• South African password choices reveal a mix of simple patterns and an attempt at creativity with options like “Abcd1234” and “P@ssw0rd,” hinting at a growing awareness of password strength. The inclusion of “123love” adds a personal, sentimental touch to the list, suggesting that memorable phrases still appeal to users. Despite these variations, common words and straightforward substitutions remain popular, showing that many users prioritize familiarity and ease of recall in their passwords.

According to NordPass’ study 78% of the world’s most common passwords can be cracked in less than a second. Compared to last year (with 70%), this tells that the situation has worsened.

Corporate passwords are just as bad

Digging deeper, in this year’s edition of NordPass’ annual Top 200 Passwords study, researchers additionally investigated how the passwords used both for personal and work use differ. The results are surprising — 40% of the most common passwords used among individuals and business representatives are the same.

Nevertheless, experts noted some interesting differences too. Default passwords such as “newmember,” “admin,” “newuser,” “welcome,” and similar are more commonly used for business accounts. Passwords presumably created for new users with an idea that they will change them, such as “newpass” or “temppass,” also often get leaked because people are not big fans of changing their passwords.

“No matter if I wear a suit and tie at work or I’m scrolling through social media in my pajamas, I am still the same person. This means that regardless of the setting I am in, my password choices are influenced by the same criteria — usually convenience, personal experiences, or cultural surroundings. Businesses ignoring these considerations and leaving password management in their employees’ hands risk both their company’s and clients’ security online,” says Karolis Arbaciauskas, head of business product at NordPass.

Hidden dangers

According to the previously conducted survey by NordPass, on average, a single internet user has 168 passwords for personal use and 87 passwords for work use. While managing this load is simply too complicated for most, experts say that it is only natural that people tend to create weak passwords and, of course, reuse them.

However, weak passwords created by company employees serve hackers because with brute-force, dictionary, or similar large-scale attacks they can gain easy access to the company’s internal IT systems. In another common scenario, hackers break into the company using the leaked personal credentials of an employee just because they used the same passwords for both personal and work accounts.

How to properly manage your passwords for work and personal use

To avoid falling victim to cyberattacks because of irresponsible password management, Arbaciauskas recommends following a few simple but effective cybersecurity practices.
 

1. Create strong passwords or passphrases. Passwords should be at least 20 characters long because the latest studies show that longer password length can do wonders. A secure password consists of a random combination of numbers, letters, and special characters. Alternatively, you can use a passphrase. Imagine it as a long string of random words — it shouldn’t be a line everyone knows.
    
2. Never reuse passwords. The rule of thumb is that each account should have a unique password because if one account gets stolen, hackers can use the same credentials for other accounts.
    
3. Switch to passkeys wherever possible. Passkeys are considered the most promising alternative to replace passwords for good. Most modern online service providers, including Google, Microsoft, and Apple, offer passkey support for their clients.
    
4. Set up a password policy in your organization. Password managers allow companies to safeguard their credentials and effectively manage them, setting up password rules within the organisation. Multi-factor authentication (MFA) requirements should also be considered when adopting a password policy.