The most hacked passwords list 2023
As more than half (54%) of SMEs in the UK experienced some form of cyber-attack in 2022*, it's more important than ever to minimise potential gaps in your security, especially when choosing account passwords. Cybercrime and smishing attacks are unfortunately becoming more prevalent as more people move online and use cashless payments like our contacless card machine or buy now, pay later schemes.
2023 is the time to improve your password knowledge. We’ve all been taught to use memorable data but many of us use personal data like holidays and pet names as they are easy to remember. However, increased online presence via social media and public profiles has the potential to allow hackers into your life to discover what you might use for your passwords.
So, to help you gain awareness around online password security, we’ve conducted a study revealing the most commonly hacked passwords worldwide.
The study
Last year, we released our most hacked passwords report which we have now updated for 2023 to further investigate the passwords that are most commonly used and the time it takes for them to be hacked.
Analysing aggregated data from Rockyou21, which has compiled passwords from multiple sources and lists over six million breached passwords, we were able to investigate the most commonly used password patterns and the average password length.
The study has sorted the top hacked passwords into 25 categories, from footballers to astrology. By seeing which category had the most breached passwords, we can reveal the password subjects you should avoid as a whole to help stay secure online.
Key findings
- The most popular password pattern is using all lowercase letters
- Over 1.5 million passwords were eight characters or less
- Terms of endearment are the most common password category
- Over 29% of passwords use 12 characters or less
Five ways passwords are hacked
Before we dive in, let's look at some of the most common ways passwords can be hacked:
1. Brute force attack
A brute force attack is a method that uses millions of passwords per second to try and gain access accounts.
2. Dictionary attack
A dictionary attack is a technique where hackers use common words and phrases to guess passwords.
3. Phishing
Another method passwords are hacked is with phishing. An attacker preys on a victim by trying to deceive them into providing sensitive information - this can be through a fraudulent email, text or phone call.
4. Malware
A malware attack is when hackers create malicious software which gets downloaded onto a computer without any knowledge by the victim, this is then used to steal classified information.
5. Guessing weak passwords
Another common technique is hackers will use trial and error to guess weak passwords based on personal details found through social media. For example, your birthday or pet's name.
The most commonly used password patterns
Key: l is lowercase, u is uppercase, d is digits, s is punctuation and other special characters.
| Password pattern | No. of passwords | Avg. password length | Example | Max time in sec to guess |
|---|---|---|---|---|
| llllllll | 356,174 | 8 | iloveyou | 3.01 |
| llllll | 263,333 | 6 | purple | 0.00 |
| lllllll | 221,761 | 7 | letmein | 0.12 |
| dddddd | 193,879 | 6 | 202201 | 0.00 |
| ddddddd | 150,819 | 7 | 20000000 | 0.12 |
| dddddddd | 145,505 | 8 | 19891989 | 3.01 |
| lllllldd | 132,885 | 8 | london89 | 3.01 |
| lllllllll | 121,139 | 9 | wednesday | 78.26 |
| lllldddd | 85,547 | 8 | alia1990 | 3.01 |
| lllllllllld | 84,229 | 10 | wednesday1 | 2,034.70 |
Password patterns are an easy way to generate memorable passwords using different formats like special characters, lowercase letters and digits. For example, if you change your password from ‘Love2022!’ to ‘Love2023!’, you’ve used a predictable pattern as it's easy to remember.
The top ten password patterns represent 11.1% of this dataset which is significant due to discovering over 20,000 different patterns. If you are using one of these most popular patterns, it allows hackers to reduce the number of combinations they need to try to access your data.
It’s important to note that hackers are most likely aware of these popular patterns and passwords, making them even quicker to hack. Combined with public social media profiles or personal information that’s been made available online (think birthdays, favourite holidays, pet names), hackers have the potential to gather enough information to make educated password guesses. So, if you’re wanting to create a new password, try to make it more than 12 characters long, contain a capital letter or special characters and don't relate to any memorable events or personal details.
Avoid using lowercase letters as this is the most predictable password pattern
Out of the six million passwords analysed using lowercase letters as your password like ‘iloveyou’ is the most popular pattern with over 356,000 passwords using this format. The average length for this password pattern is eight characters which would take just three seconds for hackers to guess.
Over 29% of passwords include 12 characters or less
| Rank (popularity) | No. of characters | No. of passwords that are this number of characters long |
|---|---|---|
| 1 | 8 | 1,569,038 |
| 2 | 7 | 890,292 |
| 3 | 6 | 877,733 |
| 4 | 9 | 567,520 |
| 5 | 10 | 463,946 |
| 6 | 11 | 336,704 |
| 7 | 12 | 278,681 |
| 8 | 5 | 179,946 |
| 9 | 4 | 57,190 |
We found over 1.5 million hacked passwords of eight characters in length making it one of the most popular password lengths. If your password is eight characters long and also starts with an uppercase letter, over 4.5 million of these were found in data breaches. Another common password pattern is ending the password with a special character as over 3.5 million passwords were hacked of this nature.
The top 20 most commonly hacked password categories
| Rank (popularity) | Category | No. of breached passwords that include the top 20 words/phrases in that category* |
|---|---|---|
| 1 | Nicknames/Terms of endearment | 1,040,793 |
| 2 | Tv show characters | 454,765 |
| 3 | TV shows | 365,386 |
| 4 | Colours | 352,484 |
| 5 | Fashion brands | 298,601 |
| 6 | Cities | 253,960 |
| 7 | Countries | 127,154 |
| 8 | Movies | 70,421 |
| 9 | Body parts | 53,919 |
| 10 | Car brands | 40,971 |
| 11 | Pet names | 33,754 |
| 12 | Swear words | 33,299 |
| 13 | Video game characters | 24,986 |
| 14 | Music artists | 20,768 |
| 15 | Video games | 13,020 |
| 16 | Makeup brands | 12,011 |
| 17 | Sports | 9,039 |
| 18 | Fictional characters | 7,502 |
| 19 | Superheros | 5,473 |
| 20 | Football clubs | 2,920 |
*The score is calculated by using how many times the top 20 terms/words from each category were included in the most commonly breached passwords list.
Terms of endearment are the most commonly hacked password category
| Rank | Term of endearment | Total no. of breached passwords |
|---|---|---|
| 1 | King | 948,203 |
| 2 | Rose | 30,506 |
| 3 | Love | 19,310 |
| 4 | Boo | 8,575 |
| 5 | Hero | 5,619 |
| 6 | Angel | 4,518 |
| 7 | Baby | 3,797 |
| 8 | Sexy | 2,622 |
| 9 | Gem | 2,232 |
| 10 | Lover | 2,026 |
Out of all the categories studied, the most commonly hacked password categories were those involving pet names/terms of endearment with the top three pet names used in passwords around the world being ‘King’ (948,203), ‘rose’ (30,506) and ‘love’ (19,310).
While you might often use pet names to refer to your nearest and dearest, it's probably not the best idea to use these terms of endearment for your passwords. For example, if you use ‘King’ as your password along with 948,000 other people, it makes it easy for hackers to guess and access your personal information, especially if you regularly use those pet names in the public domain and on social media.
These are the most common colours to avoid using as a password
| Rank | Colour | No. of breached passwords |
|---|---|---|
| 1 | Red | 331,756 |
| 2 | Blue | 4,423 |
| 3 | Black | 3,360 |
| 4 | Gold | 2,546 |
| 5 | Green | 2,364 |
| 6 | Pink | 1,496 |
| 7 | White | 1,424 |
| 8 | Brown | 1,111 |
| 9 | Silver | 1,017 |
| 10 | Grey | 576 |
Colours ranked as the fourth most commonly hacked password category with 352,484 being included in breached passwords. The three most frequently hacked colours? ‘Red’ leads the way with over 331,000 passwords, followed by ‘blue’ (4,423) and ‘black’ (3,360).
Avoid these video game characters for your password
| Rank | Character name | Video game | Total no. of breached passwords |
|---|---|---|---|
| 1 | Joel | The Last of Us | 14,312 |
| 2 | Q*Bert | Q*bert | 5,319 |
| 3 | Link | The Legend of Zelda | 1,710 |
| 4 | Mario | Super Mario bros | 899 |
| 5 | Ryu | Street Fighter | 741 |
| 6 | Agent 47 | Hitman | 462 |
| 7 | Ellie | The Last of Us | 378 |
| 8 | Yoshi | Super Mario | 272 |
| 9 | Scorpion | Mortal Kombat | 201 |
| 10 | Kirby | Kirby | 160 |
The Last of Us spiked an increase in people using ‘Joel’ and ‘Ellie’ for passwords
The highly anticipated game, The Last of Us, first came out in 2013 for PlayStation 3 users. The game shows protagonists Joel and Ellie in a post-pandemic world and has sold over 37 million copies in nine years.
Since its release, the game receives over nine million searches a month worldwide so it’s no surprise that gamers have used the character name ‘Joel’ as a password over 14,000 times. If you are a fan of the show or the game, you should consider changing your password.
The Legend of Zelda’s Link is among the most breached video game character passwords
The action-adventure game follows Link in his quest to save the world. With over 136 million copies sold worldwide, it's clear to see why over 1,700 people have used the character name as their password.
The top 10 most common music artist's names to avoid
| Rank | Artist | Total no. of breached passwords |
|---|---|---|
| 1 | Dr. Dre | 16,740 |
| 2 | Abba | 886 |
| 3 | Queen | 625 |
| 4 | SZA | 529 |
| 5 | Drake | 313 |
| 6 | BTS | 293 |
| 7 | Eminem | 203 |
| 8 | Future | 202 |
| 9 | Nirvana | 146 |
| 10 | Adele | 125 |
Dr. Dre is the most breached music artist's password
Passwords using music artists rank 14th out of the most commonly breached passwords with 20,000.
Dr. Dre has over 22 million monthly listeners on Spotify and is one of the most influential rappers in hip-hop history. Due to his massive popularity and following, over 16,000 passwords included the rapper’s name which accounts for 83.7% of all music artist passwords.
Drake and SZA are among the most commonly used breached password
Meanwhile, in 14th place for music lovers that chose to incorporate their artists into their password, over 529 people used ‘SZA’ as their password with ‘Drake’ coming in fifth place with 313 users.
10 expert tips on how to create a strong and unique password
In need of an improved password? We’ve put together our top ten tips on the most important do’s and don’ts when creating a more secure password.
Do’s:
- Use a mix of special characters, numbers and capital letters. Including a range of upper and lower-case letters, as well as numbers and symbols (such as $ £ !) this makes passwords more secure and harder to hack.
- Aim for a long password with a minimum of 8-12 characters. The longer the password, the better. Longer passwords require more time to work out combinations and hackers looking for a quick win may be deterred.
- Use multi-factor authentication. Two-factor authentication requires hackers to get through two layers of security checks before they can get onto your account.
- Use a password manager. When creating multiple unique passwords, it can be tricky to remember them all. Instead of writing passwords down or on your phone’s notes, there are many secure apps and websites where you can safely store these passwords instead.
- Change your passwords. If you have any concerns that a password has been compromised be sure to change the password to reduce the risk of your accounts being compromised.
Don’ts:
- Don’t use personal information in your passwords. Stay away from using any type of personal information in your passwords, such as a name, date of birth, or your pet’s name. This information can easily be discovered by hackers from social media profiles or even public conversations.
- Don’t use obvious sequences of letters or numbers. Avoid using numbers and letters in common sequences such as 1234 or qwerty. These generic formats and memorable keyboard paths are the first to be guessed by hackers.
- Don’t tell anyone your password. If you were to share a password, make sure to change it soon after.
- Don’t automatically save passwords to your browser. It may be very convenient, but allowing your browser to save passwords risks your details being viewed by other people that use your devices.
- Don’t use the same password across multiple accounts. It’s important to not reuse passwords. If one account was to be hacked it could result in exposing other accounts to be breached with the same password.
While personal security is incredibly important, when it comes to your business – the stakes are even higher. This is why ensuring that all your business accounts are secured with tough-to-breach passwords is crucial.
At Dojo, we understand that security and protecting personal data are at the forefront of business owners' minds. When you choose a Dojo card machine like the fast Dojo Go, your customer's card data is securely protected from data breaches with point-to-point encryption.
Methodology
Dojo analysed an aggregate of multiple data breaches including Rockyou21’s breached password list from 2021. The list features over six million passwords that have been compromised in a data breach to discover the most commonly hacked passwords. These passwords were then separated into categories such as music artists, video game characters, countries and pet names etc. From the most hacked passwords, categories with the most breached passwords and the most common password patterns used were identified.
To find the speed at which hackers can guess passwords, the RTX 3090 hashes/sec speed was used to estimate how long it would take for a specific set of password patterns / length to be guessed assuming the passwords were encrypted using MD5 encryption.
*Stat from Vodafone business
