We now know the 200 most used passwords, and hacking them is pretty easy

At a time when personal information and cybersecurity has been high on the agenda, after millions of pieces of personal data was exposed in the Optus hack, it’s concerning to learn that thousands of Australians are still risking their own data by using the password ‘123456’.

That password has topped the list of most commonly used passwords in findings published by software-as-a-service provider NordPass.

In collaboration with independent cybersecurity researchers evaluating a four terabyte database, the company found 123456 was the mostly commonly used password in the world, with over 100 million instances of its use.

It’s also the most used in Australia – across more than 300,000 instances.

Ranking second down under was ‘password’ – perhaps the most obvious entry a person could devise, with nearly 200,000 uses.

It would take a hacker less than a second to crack these passwords.

Ranked third was ‘lizottes’ – the name of a popular restaurant in Newcastle. It’s used by nearly a hundred thousand accounts.

Read more: Quantum entanglement can be used to encrypt messages

In contrast to the leading password selections, Nordpass estimates it would take three hours to crack this entry.

Earlier this year, cybersecurity firm Hive Systems released updated tables on estimated ‘crack’ times – how long it would take a hacker to break a password – showing a password like ‘lizottes’ would take just three seconds to break, or instantaneously if high-performance computing technology was used.

People, says UQ Cyber research officer Joshua Scarsbrook, pick simple passwords because they want to reduce the barrier to entry.

“We often see password prompts as a barrier to entry to the systems that we’re trying to work with,” Scarsbrook.

“If we have a password like, say, a 16, or 32, character long passphrase, then it’s going to take some time to type that out.

“So people use shorter passwords that are simpler and easier for them to remember.”

But that leaves individuals vulnerable to being hacked.

How can hackers break passwords so quickly?

By cracking a hash.

A hash is a long, complex series of characters that corresponds to a text-based password. It’s created by hashing software to store your password in a server.

While you type your password in, this software outputs it as a hash, this makes it difficult to know, on first glance, what a password might be.

A hash might look like this:


You probably can’t guess the password by looking at that, can you?

It’s 123456, as hashed using a cryptographic protocol called MD5.

The fact we know this hash corresponds to the world’s most commonly used password should not be comforting, and it isn’t, because MD5 has been cracked – the equivalent of thieves in heist films knowing exactly how to break open a safe.

The Top 10 most used passwords in Australia, and how many use them

RankPasswordTime to crack itCount
1123456<1 second308,483
2password<1 second191,880
3lizottes3 hours98,220
4password1<1 second86,884
5123456789<1 second75,856
612345<1 second69,434
7abc123<1 second68,434
8qwerty<1 second67,130
912345678<1 second37,675
10holden2 minutes30,844
Source: NordPass

Hackers crack hashes by working out the combinations of inputs on your keyboard – letters, numbers and non-alphanumeric characters – and hashing them. These are used to create lists of these combinations which are then run against stolen password hashes.

Eventually, a hacker could work out exactly how to ‘brute force’ your password. If this conjures up the image of a computer whizz repeatedly trying to guess your combination in hope of getting it correct, you’d be right.

“There are two different kinds of password brute forcing,” explains Scarsbrook.

“There’s an online password brute force where your computer is actually interacting with a website and effectively trying to log into a website or computer system thousands and thousands of times.

“Then there’s the more offline password brute forcing where the hacker has some hash or other cryptographic signature of the password that they’re attempting to reverse into plain text form.

“In the case of cracking websites, that can be pretty slow, but with the Nordpass examples, specifically, they would be referring to the amount of time it takes for a computer to actually crack the password offline based on a hash.”

Brute forcing, is made much easier by having known hashes to compute possible password combinations.

Hive Systems suggests a password containing up to 11 numbers only is instantly breakable.

11 lowercase letters, on the other hand, might take two hours.

A combination of 11 lower and upper case letters would take five months. Throw some numbers into that mix and it would take three years. Add a @, # or $ in place of a letter, and it’s a 34-year proposition.

Ben Cornish is the director of McGrathNicol, a specialist advisory firm that consults to the government and private sector on risk and cybersecurity. He says that when it comes to data, people and businesses need to care for it like they would gold.

“Personally Identifiable Information or PII is probably one of the most valuable commodities out there these days,” Cornish says.

“They say data is the new gold and PII is a key part of that as well.

“The scary thing is people are probably using the [same] password across multiple registrations, sites and applications, which now that this information is out – the username and a password – that obviously means anything that is using that that combination of username and password is now vulnerable to hackers.”

How quickly can your password be brute forced?

CharactersNumbers OnlyLowercase lettersUpper and lowercaseNumbers, upper and lowercaseNumbers, upper and lowercase, symbols
7InstantlyInstantly2 seconds7 secs31 secs
8InstantlyInstantly2 minutes7 mins39 mins
9Instantly10 ses1 hour7 hours2 days
10Instantly4 min3 days3 weeks5 months
11Instantly2 hours5 months3 yrs34 yrs
122 secs2 days24 yrs200 yrs3k yrs
1319 sec2 months1k yrs12k yrs202k yrs
143 mins4 yrs64k yrs750k yrs16m yrs
1532 mins100 yrs3m yrs46m yrs1bn yrs
165 hrs3k yrs173m yrs3bn yrs92bn yrs
172 days69k yrs9bn yrs179bn yrs7tn yrs
183 weeks2m yrs467bn yrs11m yrs438tn yrs
Source: Hive Systems

How can you protect yourself?

If the Hive Systems table is anything to go by, a complex password is a good first step – a lengthy mix of characters, numbers, and symbols.

Some people now use ‘passphrases.’

Rather than AcDc!99, you might go with !tsaL0ngWay2TheT0p.

That’s a crack time difference of around 438 trillion years – pretty good (although we’ve obviously published it now, so don’t use that one).

There are other security protections that are possible, such as two or multi-factor authentication. When set up, this might involve a notification sent to your smartphone or email with an input code.

Password manager applications are also solutions for creating and storing long, complex passwords.

But every year there are new instances of privacy breaches, there’s even a website that matches your data to publicly released hacking events.

That, says Cornish, means individuals need to be vigilant about what information they’re sharing – or signing up to – in the first place.

“It comes back to not putting too much information out there, not providing all your details to random questionnaires that you receive on Facebook or elsewhere,” Cornish says.

“And being really vigilant when people are asking for information or are asking you to give away information.

“Making sure that you’re monitoring unusual interactions or messages that you might receive via email, via text message, via phone call… monitoring your bank accounts for any unusual activity.”

Please login to favourite this article.