Change Your Password Now If It’s On This List

Update, May 25, 2025: This story, originally published May 23, has been updated with even more unsafe passwords to add to your do-not-use list following new research, as well as information about the PIN codes you must never use if you value the security of your data and devices.

It would be all too easy to assume that your password is safe enough if you don’t share it between sites and services, if you are aware of and take action to prevent phishing attacks, or if you ensure that sophisticated infostealer malware doesn’t come anywhere near your devices. But what if you were wrong? What if your password is so weak it could be cracked in less time than it takes me to type the next word? Yes, it is that quick, folks. What if automatic password hacking machines laugh in the face of your security efforts? If your password is on this newly published list, change it now or suffer the inevitable hacking consequences. You have been warned.

Forbes184,162,718 Passwords And Logins Leaked — Apple, Facebook, SnapchatBy Davey Winder

The Password List You Don’t Want To Be On

You really don’t want to be on any password list, and most of them are compiled by cybercriminals using infostealer malware logs. But even with the global disruption of crime-industry leaders such as the Lumma Stealer network, your biggest enemy often isn’t the shady hacker after your credentials, it’s you yourself.

Let me explain through the optics of a May 22 Huntress Security report that revealed the 20 most commonly used and therefore weakest passwords you could deploy. Look, I get it, ease of use is key, if you’ll pardon the pun, and that’s why people stick to familiar passwords that they have used for years. Passwords that they share across accounts. Passwords that are easy to type as well as recall. And that, right there, is your biggest mistake. If you do it, other people will do as well, and that’s why if your password is on this list you must change it now. No ifs or buts, no procrastinating, no I’ll do it later.

ForbesChange Your PIN Code Now If It’s On This ListBy Davey Winder

The Password List In Full

Change that password right now. Here’s the list in full:

• 123456
• 123456789
• 12345678
• password
• qwerty123
• qwerty1
• 111111
• 12345
• secret
• 123123
• 1234567890
• 1234567
• 000000
• qwerty
• abc123
• password1
• iloveyou
• 11111111
• dragon
• monkey

I will admit, even as a cybersecurity veteran and hacker of old, I was surprised to see both dragon and monkey on the list. Considering there aren’t that many proper words included, numerical strings remain the go-to for lazy password creators; they wouldn’t have been my first choices. And that’s from someone who has something of an obsession with monkeys. Every day is a school day, although you should know better than to use dictionary words, and very short dictionary words at that.

ForbesWindows Passwords Are Under Attack — Do These 7 Things NowBy Davey Winder

Even More Passwords You Must Never Use

The list of dangerously unsafe passwords appears to be growing longer by the day. An analysis of passwords commonly used across businesses, based on compromised credentials available in criminal marketplaces, has identified the most insecure passwords by industry and country. It is worth referencing the full report from NordPass researchers, as always, but I thought it would be of some value to Forbes’ readers to look at these in some detail, so I have compiled the top three from each of the industry sectors. While there is some crossover between the sectors, and indeed the main list of insecure passwords already mentioned, it’s interesting to note how bad some of these are. Take finance, for example, where you would really expect people to know better. Some of these do also appear to be rather specific to have made the top ten in the category, but that could suggest some industries are better than others at avoiding the commonly compromised and oft-repeated passwords. “In most cases,” the report stated, “the passwords were leaked alongside email addresses, allowing us to distinguish corporate credentials by their domain name.”

Automotive:

1. @Incontrol1976
2. @EciAutomation1976
3. F3930ebbce@

Education:

1. 123456
2. 12345678
3. Edifygroup01

Enterprise:

1. 123456789
2. 123456
3. 12345678

Finance:

1. ABCDEF
2. 123456
3. user0123

Healthcare:

1. fabrizio19
2. 123456
3. Melu3012345

Hospitality:

1. THINKIN2023
2. 123456
3. Ids@1001

Medium-Sized Business:

1. 123456
2. secret
3. 123456789

Retail:

1. 123456
2. fer1010
3. nfer161280

Small-Sized Business:

1. 123456
2. ABCDEF
3. 12345678

Technology:

1. 123456
2. 12345678
3. Prithiviraj021

Transport:

1. 123456
2. vish
3. Cbd@ryder#2023

Things aren’t a lot better when filtered by country, as you can see:

U.S.

1. password
2. 123456
3. qwerty123
4. qwerty1
5. aaron431
6. password1
7. welcome
8. 12345678
9. Password1
10. abc123

U.K.

1. password
2. 123456
3. qwerty
4. qwerty123
5. welcome
6. password1
7. qwerty1
8. liverpool
9. charlie

China:

1. 123456
2. 111111
3. 121212
4. 000000
5. 123456789
6. woaini
7. 555666
8. 12345678
9. tangkai
10. 123123

India:

1. 123456
2. password
3. lemonfish
4. 111111
5. 12345
6. 12345678
7. 123456789
8. admin
9. abcd1234
10. 1qaz@WSX

Forbes184,162,718 Passwords And Logins Leaked — Apple, Facebook, SnapchatBy Davey Winder

Take Care Of Your PIN Codes As Well As Passwords

It’s not just password lists you need to take note of; what about your PIN? Yes, the four-digit code that underpins your smartphone lock biometrics and is still required on occasion, such as when your fingerprint or face recognition doesn’t work, after an operating system update or phone reset, for example. I have just published a list of 50 PIN codes that you should never use, simply because they are so popular. They have turned up in an analysis of nearly 30 million such codes that appeared in data breach lists, with ten percent of the codes in that bunch being the same ones used over and over. If I can find that list, potential smartphone robbers, family snoopers, anyone else can find that list. If your PIN code is on it, you should change it. There’s another bunch of PIN codes that you should avoid as well, and these are the ones that can be cracked within the blink of an eye by new AI attack tools. New research found that PINs with the same digits are the worst, 5555 could be guessed in just 0.37 seconds, but also any consecutive numbers, those that are created using pairs and patterns, and, of course, anything that is or resembles a date. I could likely unlock 90% of family members smartphones, truth be told, as dates of birth seem to rule supreme.

ForbesChrome Password Update For 3 Billion Google Browser UsersBy Davey Winder

Don’t Use Passwords, Use Passkeys

So, you know what to do: change that password or PIN now. Better still, switch to using passkeys instead, as they are way more secure and even easier to use. I would also recommend using a password manager to both create and use your passwords, if a passkey isn’t an option, as this will enable you to make strong, random and unique choices. Of course, password managers also help manage and use passkeys – it’s a win-win situation. So, what are you waiting for?