The three most popular passwords of 2024 can be cracked in one second
On the occasion of World Password Day, which is celebrated on the first Thursday of May, ZIUR points out that the use of brute force to crack passwords is "one of the most common entry points used by cyberattackers to break into systems"
The three most popular passwords in Spain, which were used almost 50,000 times in 2024, can be cracked in just one second. This is according to NordPass, the cybersecurity company that manages passwords, which publishes a detailed report each year listing the most common passwords worldwide, many of which are repeated across the globe. On the occasion of World Password Day, celebrated this Sunday, the Gipuzkoa Industrial Cybersecurity Center (ZIUR) warns that breaking this encryption "is one of the most used attack vectors by cybercriminals because it works so well for them." "We know that many attacks begin with a brute-force password crack, which is a way of recovering a password by trying all possible combinations until they find the one that grants access. This is one of the main ways for cybercriminals to break into our systems," warns ZIUR director María Penilla.
In Spain, the most used password is 123456, used 27,374 times in 2024; followed by 123456789, entered 14,385 times; and 12345678, chosen 7,811 times. All of them can be cracked in less than a second, as can the fifth, sixth, seventh, eighth, ninth, and tenth passwords in the ranking, which are: qwerty123, 12345, qwerty1, 1234567890, password, and 1234567. In fourth place is Spain, a password that typically takes about two minutes to crack. These ten passwords were used a total of 81,611 times in 2024, as noted in the NordPass report.
The same scenario is practically the same worldwide. The ten most used passwords in 2024 were 123456, 123456789, 12345678, password, qwerty123, qwerty1, 111111, 12345, and a rather curious last one: secret. All of them, used more than 9 million times last year, are cracked in less than a second.
Recommendations
“Passwords are never shared, under any circumstances. It's important to be clear that no service, of any kind, will ask you to share one of your passwords with them. If, for whatever reason, we have to share it with a family member, it's advisable to change it as soon as possible,” notes the director of ZIUR, who asserts that people aren't “as strict as they should be with passwords, and cybercriminals take advantage of this to their advantage,” as the NordPass report proves. “In that document, we see how little it costs to brute-force a password that isn't strong enough,” Penilla insists.
Therefore, he recommends using a password manager to securely store passwords. “Although zero risk in cybersecurity doesn't exist, using a manager will always be more secure than writing down passwords on paper or using the same one for all services, because we're obviously incapable of memorizing the dozens of passwords we have to manage on a daily basis,” he points out.
At the business and industrial level, Penilla believes the most effective approach is to force users to change their passwords less frequently to try to prevent them from being repeated and to make them more robust. He also recommends using two-factor authentication to access a service, that is, adding a second code to the password that can be sent via SMS or through various applications.
“Nowadays, most services allow this option, and it's one of the best ways to make it difficult for the bad guys and prevent hacking. Although using double verification may be inconvenient at times, we should do so, at least for the most critical services such as payment or credit card details,” says Penilla, who suggests that, at the slightest suspicion of having suffered a cyber incident, it's best to change passwords and, if payments are compromised, notify the bank immediately. “It's better to err on the side of caution,” insists the director of ZIUR.