Digital safety: Are you using one of the world’s most popular passwords? 

Popular passwords ... short and simple combinations can be a threat to your digital safety.

Popular passwords ... short and simple combinations can be a threat to your digital safety. Image: Unsplash/Ales Nesetril

Ewan Thomson
Senior Writer, Forum Agenda
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Centre for Cybersecurity

This article was first published in December 2023 and updated in July 2024.

  • Our most common passwords are all simple, short and predictable leaving us vulnerable to hacking and cybercrime, according to global password management company NordPass.
  • The world's biggest password leak to date in July 2024 has increased the risk of ‘credential stuffing’, where cyber attackers take advantage of people using the same user names and passwords across multiple accounts, experts warn.
  • The World Economic Forum's Partnership Against Cybercrime brings together law enforcement agencies, cybersecurity companies, global corporations and not-for-profit alliances to help combat cybercrime.

What makes a terrible online password? Something simple, short and predictable.

Astonishingly, those are also the characteristics of the world’s most common online password, which is 123456, according to online password management company NordPass.

NordPass also calls 123456 the worst password, because as well as being used over 4.5 million times, it takes less than a second for hackers to crack – like the rest of the top 20 most popular online passwords.

Here are the other passwords on the list, as well as some advice on improving your passwords to protect yourself from cybercrime, a growing threat according to the World Economic Forum's latest Global Risk report.

The world’s most common online passwords

NordPass analysed a vast database of online passwords, then with the help of a team of researchers investigated which ones had been stolen with the use of malware.

This is the list of the top 20 most common passwords. If any of yours are included, it might be time to think about changing them.

1. 123456

2. admin

3. 12345678

4. 123456789

5. 1234

6. 12345

7. password

8. 123

9. Aa123456

10. 1234567890


12. 1234567

13. 123123

14. 111111

15. Password

16. 12345678910

17. 000000

18. Admin123

19. ********

20. user

This is the fifth year that NordPass has mapped out the world’s password habits. This year’s winner, 123456, has come top three times. It has only been beaten by 12345, which happened in 2019, and by the ever-popular “password”, in 2022.

Password habits vary by platform

NordPass' most recent data shows how password creation differs across digital platforms - people tend to have different password habits depending on their platform.

Those using streaming services tend to choose the worst passwords, which gives an easy opportunity for cybercriminals to breach accounts, NordPass says.


What is the Forum doing to avert a cyber pandemic?

The growth of cybercrime

As digitalization increases, so do people’s chances of being affected by online crime. Nearly nine out of 10 web app attacks use stolen data, and 18% of common items for sale on the dark web are passwords, emails and account data, NordPass says.

Cyberattacks are not just increasing in prevalence but also in size. In July 2024, a password leak known as RockYou24 became the largest leak in history when a user on a popular hacking website posted a compilation of almost 10 billion unique passwords, according to Cybernews.

This could leave those who reuse passwords highly vulnerable to what's known as 'credential stuffing' – a practice where attackers fraudulently gain valid user name/password combinations and then use them to access other accounts.

“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the Cybernews research team warned.

All this means the cost of cybercrime is soaring and could reach almost $14 trillion by 2028, according to Statista.

The cost of cybercrime 2018-2028
The cost of cybercrime is expected to soar. Image: Statista

The World Economic Forum's Partnership Against Cybercrime brings together law enforcement agencies, cybersecurity companies, global corporations and not-for-profit alliances to help combat cybercrime.

How to improve your password

You can check to see if your passwords have been compromised by visiting website services such as HaveIBeenPwned. Just enter your email address and it will tell you if your account has been part of any data breaches.

When choosing a new password, it is better to use complex combinations of lowercase and uppercase letters, numbers and special characters because they take longer to decrypt – unlike the 20 most popular passwords of 2023. Aim for at least 12 characters, although you could go even longer.

It might be tempting to use memorable numbers or words that link back to your life – such as a pet’s name or memorable birthday – but this can also make cracking the password easier.

Using the same password for multiple sites is also not recommended, as if one of those sites becomes compromised, your password across all the other sites is also at risk.

It’s also worth changing your passwords every three months, cybersecurity experts say. “Sometimes you might never be aware that your password for an account was compromised,” online security experts Kaspersky say. “By changing your password every few months, you limit the amount of time a hacker can spend in your account and hopefully minimize the damage a cybercriminal could cause.”

Have you read?

Password managers and passkeys

You could also use a password manager. This is a piece of software that can generate complex passwords for various websites, detect password breaches, and store passwords in an encrypted environment.

Password managers are operated by a single password, meaning you only have to remember one password ever. They keep themselves secure through the use of extra layers of multifactor and biometric authentication.

Another way to boost your online security is with passkeys, a replacement for passwords for businesses or for personal use that combine biometric verification with cryptographic keys.

NordPass says passkeys are “inherently resistant to phishing, brute-force attacks and other cyber threats” and can be used across multiple devices and operating systems. Passkeys also mean you never have to remember a password again.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Why closing the cyber skills gap requires a collaborative approach

Rob Rashotte

July 23, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum