Steven Lafortune
Password management company NordPass has published the results of its annual survey of the 200 most common corporate passwords around the world in 2024. Once again, claiming the top spot was that ol’ standard that infuriates IT pros, yet inspires hackers: 123456.
Now in its sixth year, the NordPass survey looked at passwords that had been exposed by malware, or in data leaks. Overall, researchers analyzed around 2.5TB of data from users in 44 countries. This was the fifth consecutive year that 123456 was the most common corporate password. It was also the most common personal password.
The rest of the top 10
If the #1 most common corporate password is shockingly insecure, is there any hope that the rest of entries in the top 10 are any better at fending off hackers (and lowering blood pressure levels for IT pros)? No. Behold, in all its horror, the rest of the top 10:
2 - 123456789
3 - 12345678
4 - secret
5 - password
6 - qwerty123
7 - qwerty1
8 - 111111
9 - 123123
10 - 1234567890
NordPass researchers say that all 10 of the most commonly-used corporate passwords would take hackers less than one second to crack. In fact, the only corporate password in the top 70 that would purportedly take hackers more than 10 seconds to crack was #28: TimeLord12, which would take about five days (sure that’s better, but even Dr. Who wouldn’t choosing something so insecure for the TARDIS).
The weak password crisis continues
Weak passwords continue to be a big vulnerability for organizations — and big business for hackers. Despite advances in cybersecurity best practices, poor corporate password policies remain a primary entry point for attacks. Google Cloud’s 2025 Threat Horizons Report stated that credential-related vulnerabilities such as insecure, easy-to-crack passwords continue to be the most common entry point for hackers. And IBM’s Cost of a Data Breach Report 2024 revealed that the global average cost of a data breach has climbed to $4.88 million USD per incident — a 10% increase over 2023, and the highest total ever.
Reducing the risk
IT pros who harbor a sneaking suspicion — or worse, have blatant evidence — that some end users in their organization urgently need to clean up their password hygiene should not despair. True, things right now might be troubling (or terrifying). But there are several ways to reduce the risk, close the gap, and keep hackers on the outside. Here are some recommendations:
Require that users choose longer passphrases instead of passwords. These are typically easier for users to remember, yet harder for hackers to crack.
Enforce two-factor authentication (2FA) or multi-factor authentication (MFA) as part of your broader identity and access management (IAM) strategy.. While 2FA/MFA is not 100% bulletproof, it should be a mandatory requirement to bolster account protection and reduce vulnerability.
Use a strong password manager that offers core functionality, especially if you’re part of an IT team or managed service provider (MSP) looking to enhance password protection for businesses. That includes: secure password vaulting and sharing, strong password generation, analysis of potential password choices against a list of known compromised passwords, role-based access control, password history policy enforcement, and advanced reporting/logging.
Implement privileged account management (PAM) that offers core functionality including: automatic/scheduled password rotation, automatic password syncing (a.k.a. password propagation), checkout request approval, just-in-time access for privileged accounts, and comprehensive auditing.
Provide users with cybersecurity training, so they understand the importance of choosing strong, unique passwords (or better yet, passphrases), and that they consistently demonstrate good overall password management hygiene. Users have to realize and embrace that they must be an active part of the organization’s cybersecurity solution, or else they may unintentionally contribute to the problem.
Looking ahead
The idealists among us may hope that early next year when we look at NordPass’ 2025 list of the most common corporate passwords, that we will see a complete transformation from staggeringly weak passwords to surprisingly strong ones. But the realists among us think — and let’s face it, know — differently. The only real surprise might be that 123456 moves from the #1 spot to #2 (but probably not).
As such, it is up for leaders and decision-makers to LISTEN to the IT pros in their organization, and ensure that tools, practices, and policies are in place to drive strong, effective, and compliant password management.
The alternative is to ignore the problem and hope for the best. This kind of mindset and approach is not strategic. Rather, it is a signal for bad actors to stop by and start hacking.
Devolutions can help
Devolutions can help your organization turn password management from a weakness into a strength with powerful tools for modern IT teams! Both our on-premise password management solution Devolutions Sever, and our cloud-based password management solution Devolutions Business Hub, are highly secure, easy-to-use, feature-rich, perfect for privileged account management (PAM), and complimented by versatile companion tools and apps.
And if you aren’t sure what you need or where to start – don’t worry. We offer complimentary consultations to help you focus on what matters most. We also offer free 30-day trials, and multiple licensing options to fit every budget.
