Don’t Get Hacked! Here Are the Worst Passwords of 2023

Using a strong, complex password is like building a fortress made of unbreachable stone walls around your online accounts and personal information. A weak password, on the other hand, is like a small picket fence. Pretty much anyone can climb over it, and it stands no chance against more sophisticated forms of attack. So … which type of password do you use?

If you’re still using the worst passwords listed below, it’s time to tear those picket fences down and start building better security around your online accounts. And unlike an actual stone wall, it doesn’t take much time and effort to create a strong password. Read on to see what the worst passwords are and learn how to boost your digital security by creating passwords that are hard to crack.

What Are the Worst Passwords?

Weak passwords are either too predictable, too short, too simple or too common. The worst of the worst, however, share all four of those qualities.

• Running numbers: It’s bad enough if your password can be cracked using just the number pad of a keyboard. It’s even worse if your numbered password follows a certain sequence, like “123456” or “123456789,” or just one number repeated several times, like “111111.”
• Clustered keys: Passwords made up of clustered keys such as “qwerty,” “asdfgh,” “1q2w3e” make for good finger exercises, but that’s about all they can provide. Those passwords are too predictable, and they are usually the first combinations hackers try when cracking passwords manually.
• Common phrases: According to NordPass, a password manager brand, more than 220,000 women and 96,000 men in the United States use “iloveyou” as their password.1 Some of them probably think they’re being ingenious by using a passphrase instead of a password, but NordPass’s study says otherwise. Other common passphrases are “letmein” and “trustno1.”
• Curse words: Speaking of studies, we conducted our own research on America’s password habits and found that 42 percent of respondents use curse words in their passwords. The only hackers that’s stopping are those who don’t know any curse words, and we’re not sure there are any.
• “Password” and variations of it: Contrary to what some might think, “password” is not a good password, and “strongpassword” is not a strong password. Other variations to avoid include “password1” and “incorrect” (as in “your password is incorrect”).
• Common names: Some take the advice to use passwords personal to you too literally that they use their own names or the names of someone close to their hearts. That might be fine if the name is long and unique — like Hubert Blaine Wolfeschlegelsteinhausenbergerdoff (yes, that’s a real name) — but if the name is Princess, or Hannah, or Bob, forget about including it in your password.

Obviously, there are many other bad passwords that deserve to be on the list, but those above are the worst of the worst because they’re the easiest to crack. Forget hackers, even monkeys can crack those codes.

Jokes aside, the reality is we’re not just dealing with hackers who are good at guessing. Modern hacking techniques involve the use of computer programs, algorithms, and data analysis. Those things make hackers ultra efficient and allow them to crack weak passwords in mere nanoseconds. You can see it for yourself; enter any of the worst passwords we mentioned above into our Password Strength Tool, and you’ll see that most of them can be cracked instantly.

Hackers are also moving away from targeting specific people to hacking en masse and pillaging whatever digital information they can find. Some may think they have nothing of value to hide and they’re not being targeted, so it’s okay to use unsecure passwords, but that can’t be further from the truth.

Every bit of information can be valuable to hackers, particularly if your accounts contain personally identifiable information such as your name, email address, or phone number that they can sell to data brokers, advertisers, and others who might be interested. They can actually make a decent living selling data from just a few thousand hacked accounts, so if you ever think you’re not an active target, think again. For the sake of your own privacy, never use a weak password.

Birthdays and Anniversaries: Are Those Passwords Really That Bad?

Let’s talk about something else, a piece of advice that digital security experts have been repeating for years: Don’t use birthdays and anniversaries (or any memorable date) for passwords. Does it still hold true today?

The problem with using dates for passwords is that they’re too easy to find out. Skip public records; you can find out a person’s birthday or a couple’s anniversary from their social media posts, tweets, blog posts, and such. With the amount of information we share online, birthdays and anniversaries aren’t exactly obscure enough to be used as passwords.

Here’s another perspective: Around 350,000 babies are born globally every day. That’s 350,000 individuals who could potentially choose to use the same password as you. We haven’t even counted the people in their lives who might use their birthdays as passwords — their parents, spouses, even best friends! Important dates are simply too common of a choice for a password, and that makes them unsecure.

So to answer the question, yes, the advice not to use important dates as passwords still holds true today. Birthdays and anniversaries may not be in our list of the worst passwords, but they are still easy to crack and therefore make poor passwords.

So How Do You Choose a Strong Password?

It’s actually easy to choose a strong password. Just take what weak passwords are — predictable, common, simple, and short — and do the opposite. A strong password must be:

• Random: Don’t use words, phrases, names, and acronyms. The more random, the better. Even just mashing your keyboard works, as long as it generates passwords that meet the other criteria.
• Complex: Mix things up! Don’t use just letters and numbers. Adding special characters and mixing together uppercase and lowercase letters can exponentially improve your chances of not getting hacked.
• Long: The length of your password also plays a role. Most websites today require passwords that are at least eight characters long, but for a password to be truly secure, we recommend using at least 12 characters.

Creating a strong password is just the first step, though. There are other things you can and should do to improve your digital security, such as using a different password for each online account, utilizing password management tools to store passwords securely, and adding two-factor or multifactor authentication whenever possible. Head over to our in-depth guide to password security to learn more.