Skip to content

Most of the world’s most popular passwords can be cracked in under a second

Hackers who use brute force attacks can easily compromise accounts with weak passwords, according to Nordpass.

Binary code, password vulnerability taking out with tweezers, selective focus

Image: MyImages_Micha, Getty Images/iStockphoto

Passwords have turned into a necessary evil, particularly for people who use dozens or hundreds of apps, websites, and other services. Follow the usual rules and create a strong, complex password for each account, and there’s no way for you to manage them all on your own. Break the rules and use the same weak passwords on all or most of your accounts, and you risk the threat of compromise from hackers.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

More about cybersecurity

But just how vulnerable are you if you do use weak or popular passwords? New research from password manager Nordpass shows just how quickly a hacker can crack a popular password.

Around 70% of the world’s most popular passwords can be cracked in less than a second, according to Nordpass. The passwords to which the company is referring are 9 of the 10 most popular passwords used in 2019. The following table lists the passwords along with the time it takes to crack them and the number of times they’ve been compromised in data breaches.

Password How long does it take to hack? How many times has it been exposed?
12345 Less than a second  2,380,800
123456 Less than a second  23,547,453
123456789 Less than a second  7,799,814
test1 Less than a second  13,518
Password Less than a second  130,999
12345678 Less than a second 2,938,594
zinch Less than a second 14
g_czechout 12 days Never
asdf Less than a second 315,892
qwerty Less than a second 3,912,816

Hackers can use a range of tricks to try to obtain passwords used for online accounts. But the most common method is the brute-force attack, which relies on automated tools to do the dirty work. Under this scenario, cybercriminals gain access to certain account information through a data breach. Most websites, at least secure ones, don’t store your passwords in plain text; rather your passwords are saved using some type of encryption algorithm. In this case, the hackers learn the names, email addresses, street addresses, phone numbers, and other data for each breached account. The password is the one missing element.

To crack your password, hackers might first use a brute-force attack tool to run through all the popular and common passwords. Next, they may scour your other account information for clues to your password. Some cracking tools can modify these details by adding more data such as numbers or special symbols.

SEE: The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)

Hackers can also translate words into Leetspeak, which converts letters to numbers or special characters. As an example, the word “password” might become “p422W0Rd.” They can also use rainbow tables, which try to match plain-text passwords with their hashed values. Further, hackers will look for more of your breached online accounts to see whether you’ve reused the same password. In the end, the weaker your password, the more vulnerable you are to account compromise.

“Millions of people still use generic, popular, and widely-used passwords,” Chad Hammond, a security expert at NordPass, said in a press release. “While these might be easier to remember, people are doing hackers a huge favor by using them, as it will only take a second to crack such a weak password.”

To protect your online accounts and passwords, Hammond offered the following tips:

  1. Use a password generator. “Password generators are great tools that can generate complex passwords in seconds,” Hammond said. “Sadly, they are still massively underused. Recent research by Kaspersky suggests that a whopping 83% of respondents make up their passwords instead of using some sort of tool that will do it for them.”
  2. Go over all your accounts and delete the ones you no longer use. If a small, obscure website ends up breached, you might never even hear about it. Use a site like to see if your email has ever been compromised.
  3. Use two-factor authentication (2FA) if you can. Whether it’s an app, biometric data, or hardware security key, your accounts will be much safer if you add that extra layer of protection.
  4. Regularly check each of your accounts for suspicious activities. If you notice something unusual, change your password immediately.

Also see