It’s 2021 But People are Still Using These Dumb Passwords

The world as we knew it changed over the last year but not our stupid love for “password” and “123456.”
Dhvani Solani
Mumbai, IN
Photo: Getty Images

In the past few years, password management companies have been showing us a glimpse of not just how we all are – collectively, as a species – morons, but also how we’re becoming even more moronic year on year.

You would imagine that with most of our lives having moved online in these panoramic times, and with a sharp increase in news of someone, somewhere getting hacked, we would be a little more cautious about what our sacred passwords are. Unfortunately, a list of the most common passwords in 2021 put out by NordPass will leave you with little hope for humanity. 


The top-of-the-class honours went to the password “123456,” having been used 103,170,552 times. Come on, people.

Next in line was “123456789,” which meets the eight character minimum requirement, but not much else in terms of actual security. Apart from more highly hackable number combinations, the top 10 list also has “password” and “qwerty” on it. All of these would take less than a second to breach. While 73 percent of the top 200 passwords from 2020 could be cracked in less than a second, the number has gone up to 84.5 percent in the new list.  Does this prove the theory that humans are getting dumber

The list of passwords was compiled in partnership with independent researchers specialising in cybersecurity research. They evaluated a 4TB-sized database across 50 countries. For this third consecutive year of research, they also divided their database into the different countries, further segregating them into men and women categories, to understand if each of these sets used passwords differently.

“We honestly didn’t expect to see so many cultural references in the country lists,” Patricia Cerniauskaite, a spokesperson for NordPass, said in an email to VICE. She said that on the popular list were local football team names (“steelers” in the USA, “liverpool” in the UK,  “colocolo” in Chile, “nacional” in Brazil, “sparta” in Czech Republic, “marseille” in France, “schalke04” in Germany, “olympiakos” in Greece), famous local beverage names (“guinness” in Ireland) and religious passwords (“christ” in Nigeria, “bismillah” in Saudi Arabia).


The team of researchers also stumbled upon liberal use of local language swear words, like “bajskorv” in Swedish (means ‘poop’), “kokot” in Slovakia (an insult) or “lopas123” in Lithuania (also an insult), “wanker” and “bollocks” in the UK’s list – just to name a few. “It’s also quite interesting that these passwords tend to appear more often in the men’s lists,” Cerniauskaite said. 

These illuminating lists also offer a peek into how fandoms work. While “onedirection” stood at 184th place on the 2019 list, it had disappeared from the top 200 list of 2020, though it’s now jumped back to 156th on the global women’s list. 

The women’s list have “justinbieber” and “tokiohotel” (a popular German boy band from the 2010s) on it, whereas men’s passwords tend to sport “metallica” and “slipknot.” The most consistent band on the lists from the past three years is “blink182,” especially in countries like Australia, Canada, Ireland, and others.

“For the first time ever, ‘eminem’ has entered the list,” said Cerniauskaite. Was this millennial revenge for Gen Z TikTokers trying to cancel the rap icon they grew up with? “People also always tend to use ‘naruto,’ ‘superman,’ ‘pokemon’ and other cartoon characters as their passwords.” The new passwords on the list, which did not figure in ones from previous years, include “mynoob,” “google,” “internet,” “freedom,” and “secret.”


As VICE has reported several times over, trending pop culture terms are one of the first sequences hackers target when trying to crack a combination. If you find your password on the list, do rethink your life change it ASAP. 

There are other basic things you can do to beef up your security. The first step is to always use two-factor authentication (2FA) when given the option. Opt for the SMS verification here over the email option since it requires the hacker to access your phone, which hopefully they don’t have access to. 

Also, try not to use the same passwords for different accounts. Use a password manager to help you with different passwords for each of those 256 apps and services you use. In addition, always use an eclectic mix of numbers, caps, and special characters in your sequence to deter crawlers and scraping programs.

And for god’s sake, if your password looks like one of the following top 25 on this year’s list, change it before you do anything next:

  1. 123456
  2. 123456789
  3. 12345
  4. qwerty
  5. password
  6. 12345678
  7. 111111
  8. 123123
  9. 1234567890
  10. 1234567
  11. qwerty123
  12. 000000
  13. 1q2w3e
  14. aa12345678
  15. abc123
  16. password1
  17. 1234
  18. qwertyuiop
  19. 123321
  20. password123
  21. 1q2w3e4r5t
  22. iloveyou
  23. 654321
  24. 666666
  25. 987654321

Follow Dhvani Solani on Instagram.