A recent report revealed the most common passwords in 2024. Spoiler alert: it isn’t pretty.
Every year security firm Nordpass updates its list of the most common passwords. Their list is updated for 2024 (the most recent data complete year), and the results are equal parts depressing and predictable.
We’ll cover the most common passwords and what’s wrong with using passwords like them. But first, let’s talk about why this is a real, real-world problem affecting even some of the planet’s biggest businesses.
The Latest Victim: McDonald’s
McDonald’s recently rolled out an AI hiring bot (we know, probably not your idea of a good time— ours either). Most applicants now have to “talk” to chatbot Olivia as a part of the hiring process. The chatbot collects information from applicants and directs them to various parts of the application process, like a notorious personality test.
Security researchers Ian Carroll and Sam Curry didn’t love the idea of millions of applicants feeding their personal information to a bot, so they started investigating.
What they found wasn’t great: an administrator account had an incredibly weak password — 123456 — which as we’ll see in a minute is the most common password out there, making it pretty much the first password bad guys are going to guess.
According to Wired, Carroll wanted to investigate this platform (run by SaaS company Paradox.ai), so he started the application process. Carroll says:
“So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
Yeah… not great, Bob. (Or Ronald, in this case.)
How They Did It
Many backend systems come with a default administrator account (like “admin”), usually set with a default password (like “password” or “123456”). The plan, of course, is that these systems and devices would have credentials changed during the installation and setup phase. But it doesn’t always happen, and didn’t in this case.
So the researchers found a way to log in and then tried some of the most common credentials out there—which worked perfectly.
The Damage
The potential damage of this breach is absolutely stunning. 84 million records, including tons of sensitive information that applicants have to provide when applying for jobs. All of it just sitting, easily readable, behind the world’s most common password.
The good news is that the good guys found this one. They reported it, and McDonald’s and Paradox fixed it before the story hit the press.
But imagine the damage if the bad guys had stolen this info. And imagine the damage if your business gets compromised through a similar insecure account.
Numbers Top the List
Back to NordPass’s “Wall of Shame”: Here are the top 10 most common passwords, all of which can be cracked by hackers in less than a second.
- 123456
- 123456789
- 12345678
- password
- qwerty123
- qwerty1
- 111111
- 12345
- secret
- 123123
We’re sensing a pattern here, and it’s sequential numbers.
That’s the list of top 10 personal passwords. You’d hope that corporate accounts would fare better, right? Well, so would we, but nope. Check out this very similar top-10 list for corporate credentials.
- 123456
- 123456789
- 12345678
- secret
- password
- qwerty123
- qwerty1
- 111111
- 123123
- 1234567890
Yeah, not much better.
The Moral of the Story
So what’s the takeaway? First, take a close look at your security protocols. You might have noticed that all of these passwords are super simple. In fact, if you sign up for a new account with just about any major website, you won’t be allowed to use any of these. You have to have symbols and capitals and numbers and letters.
Make sure your systems are requiring complex passwords so that “123456” won’t even be an option. Better yet, enable multifactor authentication so that a username and password won’t be enough even if they do get compromised.
Need additional guidance? We’re here for you. Reach out anytime.