Password Habits in 2021 - Are We Making Any Progress?

It is the time of year when security researchers start doing annual reviews of various security practices, trends and developments. One of the most curious topics among those is password habits and the overall level of password hygiene practiced by regular users.

Security firm Nordpass published its annual review of password practices and commonly used passwords, using collated data from 50 different countries across the globe. Sadly, the results are not encouraging at all and show no meaningful improvement in the way people choose their passwords.

The data used by Nordpass comes from a massive database of leaked passwords, which contains 4 terabytes worth of records. The majority of those passwords were collected from North America, Europe, Australia and Russia.

The breakdown of the most commonly used passwords for 2021 looks as follows:

  • 123456 (103 million instances)
  • 123456789 (46 million instances)
  • 12345 (32 million instances)
  • qwerty (22 million instances)
  • password (20 million instances)
  • 12345678 (14 million instances)
  • 111111 (13 million instances)
  • 123123 (10 million instances)
  • 1234567890 (9 million instances)
  • 1234567 (9 million instances)

If anything, this shows that people have still not learned how to construct a strong password, despite the security and infotech industry trying to drive that concept home for years.

Curious bits found in the password database also include the frequent use of first names as the password - another string that is guessable practically immediately, using simple dictionaries. Extremely easy to guess names of music bands and football clubs were also commonly used on websites and services related, respectively, to music and football.

Following a period where it was generally advised to use a mixture of letters, symbols and numbers, this trend has now been gradually replaced with a different approach to passwords. At the end of the day, with the computing power available currently, the only thing that matters when it comes to brute-forcing a password is length.

In this sense, coming up with some incredibly complicated string you will struggle to remember and will probably need to keep on a piece of paper in your wallet, has been replaced with choosing a string of four or more medium-length words, providing ample length and sufficient entropy at the same time.

In this sense, a password such as "L1verpo0lisB3st09$" is less secure than a simple phrase that makes sense to you and which you can memorize much more easily, such as, for example, the string "GiraffesFeelSadDuringWinter".

November 17, 2021