Common Passwords: Lists & Checks

TL;DR

Many lists detail frequently used passwords. We’ll show you where to find them and how to check if your password is one of the bad ones, plus advice on creating strong alternatives.

Finding Common Password Lists

1. Have I Been Pwned (HIBP): This website (https://haveibeenpwned.com/) is a fantastic resource. While it doesn’t *directly* give you lists, it shows if your email address has appeared in data breaches – often revealing which passwords were compromised. It also publishes ‘pwned password’ lists derived from those breaches.
   • Pwned Passwords API: For developers, HIBP offers an API to check passwords against known breached credentials.
2. Troy Hunt’s Password Lists (HIBP Founder): Troy Hunt regularly publishes data from breaches, including the most common passwords found. Search online for “Troy Hunt password lists” to find articles and analyses based on his findings.
3. Security Companies’ Reports: Many cyber security companies (like NordPass, Surfshark, Kaspersky) publish annual reports detailing the most frequently used passwords they’ve observed. These are usually easy to find with a Google search like “most common passwords 2024”.
4. Password Managers’ Data: Some password managers (with user consent and anonymisation) compile statistics on their users’ passwords. Again, search for reports from popular providers.

Checking Your Password

1. HIBP Pwned Passwords Checker: Use the https://haveibeenpwned.com/Passwords tool to check if your password has been seen in a breach.
   • You don’t need to enter your actual email address; this checker focuses solely on the password itself.
2. Online Password Strength Testers: Several websites offer password strength testing, some of which will flag common passwords. Be cautious about using these – avoid entering sensitive passwords directly into untrusted sites.
3. Command Line (for advanced users): You can use a tool like hashcat with a wordlist containing common passwords to attempt cracking a hash (if you have one). This is more complex and requires technical knowledge. Example:

   hashcat -m 0 hashfile wordlist.txt

Creating Strong Passwords

1. Length Matters: Aim for at least 12 characters, preferably more.
2. Mix It Up: Use a combination of uppercase and lowercase letters, numbers, and symbols.
3. Avoid Personal Information: Don’t use names, birthdays, addresses, or other easily guessable details.
4. Use Passphrases: A long, random phrase is often easier to remember than a complex password. For example, “red bicycle quickly jumps over lazy dog”.
5. Password Managers: Use a reputable password manager to generate and store strong, unique passwords for each of your accounts.
6. Multi-Factor Authentication (MFA): Enable MFA wherever possible. This adds an extra layer of security beyond just your password.