With the increasing number of data breaches, taking care of your passwords is as essential as ever. One of the key elements of a strong password is its uniqueness. Therefore, today we present the most commonly used passwords & phrases used in passwords by people around the world.
The CyberNews Investigation team was interested in what kind of most common password patterns everyday people were using in creating their own passwords. We collected data from publicly leaked data breaches, including the Breach Compilation, Collection #1-5, and other databases. We then anonymized the data and detached the passwords so that we could look at that data in isolation and find the most popular passwords and phrases used.
In total, we were able to analyze 15,212,645,925 passwords, of which 2,217,015,490 were unique. We discovered some interesting things about the way that people create passwords: their favorite sports teams, cities, food and even curse words. We could even deduce the probable age of the person by looking at which year they use in their password.
As the data came in various forms, we filtered the results to only include terms that we could make sense of, and from which we could gather some insights.
The top 10 most common passwords worldwide:
There are a few lists documenting the most commonly used passwords – all of them based on different studies. What all of them have in common is their predictability.
2021 popular password statistics according to our research
We analyzed 15.2 billion passwords according to different categories of terms used. We’ll go over the most interesting aspects of each category that we looked at.
Most popular years used in passwords
One of the most interesting things is when we looked at which years from 1900-2020 were the most used by people when they made passwords.
Making a rough assumption, people may generally use years in their passwords to mark:
- their birth year
- the year in which the password was created
- a special year
From our analysis, we see that the most popular year was 2010, with nearly 10 million versions of this year used in passwords. The second-most popular used year was 1987 at 8.4 million, and the third was 1991 at nearly 8.3 million.
Looking at the graph in total, there’s a steady increase in usage from around 1940 all the way to 1990. The trend goes down after that, to rise again sharply from 2004 to 2010.
Based on the three general possibilities about why people use years in their passwords, we could make some assumptions:
- The rise from the 1940s to the 1990s correlates to the birth years of the password creators, such that there were more password-creators born in 1980-1990 than those born 1940-1980
- The spike in ‘2010’ usage in passwords most likely doesn’t indicate birth years (that would put those users under 10 years old), but rather a combination of password creation and special year
- The spike in ‘2000’ could be birth years, but could also be special years, as it was the turn of the millennium
Of course, these are just some speculations we’re making from this dataset.
The internet’s favorite name as a password
The winner is: Eva, but just barely. The #2 name is Alex, which comes in about 50,000 instances less than Eva. After that is Anna, and it tapers down consistently to the #10 most common password name, Daniel.
Both of the least popular names – I’m talking bottom two here – are Darcie and Darcey. Whichever way it’s spelled, it doesn’t seem to be popular.
The world’s favorite sports team – and sport used in creating passwords
Looking at the data for sports teams, we get an idea of not only which the top sports teams around the world are, but also which are the most favored sports:
The number one sports team, at least for the English-language world, seems to be the NBA’s Phoenix Suns, followed by the superior Miami Heat (full disclosure: I’m from Miami). Third up is the MLB’s Cincinnati Reds. Of course, since these are generic terms, there’s a possibility that some of these terms aren’t sports-related – but that’s essentially the risk with all the terms in these statistics.
European soccer (football clubs) come in three times in the top ten, with Liverpool, Chelsea and Arsenal taking the #5, #6 and #8 spots, respectively.
In total, we can see that there are five NBA teams, two from MLB, and three European football clubs. From this, we can assume that the NBA is, by far, the most popular sport in the world, followed by European football/soccer (even though some stats show that soccer is number one, and basketball comes in at number 3).
When we skew our understanding to the English-language world, with a lot of data coming from the US and the West, the findings in our password analysis seem to correlate.
Just for fun, the least popular sports team to use in passwords is “wolverhamptonwanderers,” used just 3 times, which I’m told is pretty accurate based on their overall performance.
The internet’s favorite curse word as password
Another aspect we were interested in was to see how many passwords contained curse words, and which curse words were favored the most.
Based on our analysis, a total of 152,933,335 passwords contained curse words. Out of 2.2 billion unique passwords, that’s about 7%.
Results show that the internet’s favorite curse word is “ass” coming in at nearly 27 million usages, followed by “sex” at a little over 5 million. The world’s most flexible ‘F’ word comes in at third place, being used in fewer than 5 million passwords.
Below is a table with the top 10 curse words used in passwords:
The world’s most common city used in passwords
When looking at the data, we see that many users added some variation of their city name to their passwords. Now, before looking at our analysis, we can guesstimate a reason as to why people would do that: pride or love for their city.
Even if it is just a recognition of their birth city, adding that to their passwords would most likely indicate some sort of appreciation for the city, unless it’s something like “ihatephiladelphia2020!”
So, which are the most common cities to use in passwords?
Coming in at number one is “abu” which would most likely represent the UAE capital Abu Dhabi. The number two city is Rome, the fancy capital of Italy.
Third goes to Lima in Peru, followed by “hong” for Hong Kong, and the list continues the trend of international, non-US cities. In fact, only two American cities seem to have ended up on this list: Austin and “antonio” for San Antonia, and interestingly they’re both in Texas.
The top months, days and seasons
If people were like me, the best month would be July or August, the best day either Friday or Saturday, and the best season obviously summer. Fortunately or unfortunately, the world isn’t composed of copies of me, so let’s see what months, days and seasons people preferred to use most in their passwords.
Well, I’m glad to know that people in the world have some good sense. “summer” is the most popular, and “autumn” is the least. The top weekday is “friday,” but there’s no reason for “saturday” to be at the bottom – common sense would suggest “monday” to be the least popular.
And lastly, “may” takes the cake for most popular month, more than twice as popular as the second-most popular “june.” Yes, of course, “may” is also a common word, so there’s a chance the data is a little skewed in that sense. In any case, the warmer months are at the top, and the absolutely dreadful February is twice as unpopular as the second-last “january.”
The best food for passwords
Lastly, we’ll look at what food people loved to include in their passwords. Surprisingly, this accounted for only 1.9%, with about 42 million uses.
It seems that the most popular food word is either a delicious food or a delicious beverage. Here, “ice” could refer to “ice cream” or “iced tea” – but since “cream” isn’t in the top 10, it’s most likely the beverage. The fact that “tea” is #2 only supports my theory. They are followed by “pie” and “nut.”
The least popular food words were “mayonnaise,” “margarine” and “seasoning.”
The important thing about these popular passwords statistics
It’s particularly hard to make a judgement about whether these elements of a password – whether the year, curse word, sports team, city or else – is necessarily a good thing or a bad thing.
However, we looked at the length of the passwords used, in terms of number of characters used. Unfortunately, most of the passwords used had 8 or fewer characters.
That, combined with the probability that the passwords weren’t too complex – instead made up of easily guessed combinations – leads us to believe that the passwords from these databases weren’t up to standard. There are much better ways to create a strong password.
For example, using “heat” as an element of the password, something easily guessed could be “letsgoheat” (10 characters), while something more complex would be “heatromearsenalhjamesp” (a 22-character passphrase). You can also use our unique password generator tool that generates strong & random passwords that are almost impossible to crack. People also create strong passphrases using mnemonic devices are better as they usually are long and contain random words that have no logical meaning between each other, hence easier for a person to remember but more complex for an algorithm to crack.
Of course, at this point this conversation has all become moot: the best passwords are the ones that you don’t need to remember at all. For this reason, we normally strongly recommend that people use password managers. These easy-to-use tools will create very complex passwords for you that you don’t even have to remember.
They mostly come as browser extensions that will create or fill in your usernames and passwords for you. The only thing you need to remember is one master password to use the password managers.
Now, if you noticed that your own personal passwords have similar patterns to the ones we analyzed, and that these passwords can be considered rather simple, we recommend you visit our Data Leak Checker to see if your email address and other personal data has been exposed in a data breach.
The CyberNews Data Leak Checker currently has the largest database of known breached accounts, with more than 15 billion compromised accounts. So, chances are that if your account has been leaked, we’ll probably have a record of it.