Skip to main content

Here's 2022's worst passwords — don't use any of these

A Post-It note stuck to a keyboard and bearing the words 'password' and '*****'.
(Image credit: Wirestock Creators/Shutterstock)

It's March 2022, there's war in Eastern Europe, the COVID-19 pandemic seems to be winding down — and the world's most commonly used passwords haven't changed in years. They're still the worst passwords you could possibly use.

These poorly-thought-out passwords include gems like "123456", "password" and "qwerty" (the first six letters on a standard English-language keyboard). Other winners are "111111", "123456789" and the mildly ingenious "1q2w3e" (a fun little finger dance on a keyboard — try it yourself).

This list isn't taken from a single source. All appear on a list of the 20 passwords most commonly found in dark-web lists compiled from data breaches, per Lookout via a recent CNBC article (opens in new tab). They're also on NordPass's list of 2021's 200 most common passwords (opens in new tab)  and its 2020 list as well. You can also find them on CyberNews's top 10 list of 2022 (opens in new tab).

Going back further, the same passwords appear on a massive password list compiled by security researcher Ata Hakçıl in mid-2020, a somewhat smaller list put together in 2019 by the U.K.'s National Cyber Security Centre and HaveIBeenPwned.com (opens in new tab) and Keeper Security's list of 2016's 25 most common passwords (opens in new tab). Most are on SplashData's lists of the 25 most common passwords from 2011 through 2019 (opens in new tab).

The most recent lists of lousy passwords

Only the rankings among these seem to change. Here's the Top 10 list that Lookout sent us a month ago (we're waiting for information about how it was compiled), plus the 11-20 entries that Lookout gave CNBC:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. qwerty123
  11. 1q2w3e
  12. 1234567890
  13. DEFAULT
  14. 000000
  15. abc123
  16. 654321
  17. 123321
  18. qwertyuiop
  19. Iloveyou
  20. 666666

Here's NordPass' 2021 Top 10:

  1. 123456
  2. 123456789
  3. 12345
  4. qwerty
  5. password
  6. 12345678
  7. 111111
  8. 123123
  9. 1234567890
  10. 1234567

And CyberNews' early-2022 entry:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

Needless to say, this is sad. It shows that many people just can't be bothered to protect themselves online. If you're using any of these terrible passwords, or anything that even looks like them, stop doing so immediately. 

How to use passwords correctly

It takes just a little effort to come up with good, strong passwords. For example, if you take four random words of five letters or more and string them together in every possible way, you'll end up with 24 strong, hard-to-guess but easy-to-remember passwords. 

Let's review the three cardinal rules of passwords.

— Make every password long and strong. Each password should be at least 16 characters long. Ideally, they should include capital letters, digits and punctuation marks, but if they're 20 characters or more you can probably get away with all lower-case letters. 

Never reuse a password, because that makes the damage from data breaches much worse. If one account of yours is compromised in a data breach, then every account with which you use the same password and username should also be considered compromised.

— Don't use personal information in your passwords. You may love your pet, but don't use its name in your password. Don't use your own name, your hometown, your birth year, or the names of any of your loved ones. "FluffyMcKenzie69" may be long and contain upper-case letters and digits, but it's still not a great password.

We strongly recommend doing two other things which are slightly inconvenient but will make your online accounts much safer.

— Set up two-factor authentication on every online account that allows it. This requires you to enter a one-time code or plug in a USB security key when you're logging in from a new device, but it also means that crooks who steal your passwords won't be able to log in.

— Use a password manager. These programs and online services remember your passwords for you, and also help you generate new ones. All you need to remember is the password for the password manager. Most of the best password managers have both free and paid service tiers, and a few are entirely free.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.