Cybersecurity researchers analyzed 3TB of stolen passwords from 2022 to compile a list of the most common passwords. A list of the top 200 most common passwords was published by NordPass, most likely motivated in part to promote their password manager software, but nonetheless useful as a list of passwords to avoid.
The most common password to top the list was the word “password” itself, followed by many variations of simple sequences of numbers only, and sequences of letters in the order they appear on the keyboard, such as “qwertyuiop”. Each password in the list also included an estimated time required to crack that password using commonly available password cracking software. Most of the passwords in the list could be cracked in under one second, underscoring the ease of exploiting these weak passwords.
Information Security professionals should make use of these lists of common weak passwords to proactively test the accounts of employees, contractors, and other users of the information systems that they are responsible for protecting. The most effective way to use these lists is to trigger a test each time a user changes their password – take the hash of the newly changed password and automatically check it against the list of common weak passwords.
For organizations that use Microsoft Azure Active Directory (including any online Microsoft product such as the Office Suite), administrators can configure custom lists of banned passwords by following the instructions on this page: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection
While Binary Defense is not endorsing the NordPass product in particular, a password manager in general is highly recommended to generate secure and unique passwords without causing extra stress on people to remember many passwords. There are many password manager products available, including cloud hosted and offline versions. Pairing a strong password with Multi-Factor Authentication (MFA) is the best way to protect accounts even when an attacker guesses or steals the password.