The 20 Worst Passwords In America—Change Yours If It’s Here

Do not use these passwords — ever.

getty

Your newsfeed is likely littered with headlines (1,2) warning you to change your Gmail password after a Google breach. Not because your password leaked — but because most passwords are rarely changed despite being used across multiple accounts.

This isn’t a Google or even a Gmail issue — it’s a widespread password issue. And while two-factor authentication (not SMS) and passkeys make this better, you still need to pay attention to your passwords. A weak or reused password is a gift to hackers.

ForbesApple Warns All iPhone Users—Do Not Reply To These MessagesBy Zak Doffman

While some passwords are bad the world over, there are regional variances. Here are the worst passwords in United States, courtesy of NordPass. Two lists — one for personal accounts and one for work accounts.

Let’s start with the worst 20 passwords on personal accounts in the U.S.

The risk in using these kinds of passwords on a Google, Meta/Facebook or Amazon account is huge — especially where the account doesn’t mandate 2FA or where you use SMS one-time codes for 2FA, which are easily stolen or bypassed.

But those risks are much greater at work, where your weak password potentially opens enterprise systems and networks to attack, and can even be an initial access point for ransomware attacks against the organization you work for.

ForbesGoogle Confirms Play Store Deletion—Remove Apps On Your PhoneBy Zak Doffman

Many enterprises now mandate 2FA for key systems, which protects against more than 99% of intrusions. That’s why recent headline ransomware attacks have used social engineering to steal 2FA codes rather than relying on technical exploits.

But 2FA isn’t mandated for all systems — and it takes just one weak point to open a door to attackers searching for a way in. There are the 20 worst passwords at work:

If any of your passwords are on either list, change them right now. All of them. And make sure you replace them with strong, unique passwords that you don’t use across any other accounts. There’s some good advice on strong passwords here.

The easiest way is to use a standalone password manager — not one built into a browser, even the wildly popular Google password manager in Chrome. Then add an authenticator app for 2FA and a passkey for all accounts where you can.