The 10 worst passwords for account security in 2021

October 14, 2021
Thomas Hull
Content Specialist

Photo by Eugenia Kozyr on Unsplash

Try out tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.
Sign up

See it in action

In just 30 minutes, our team can show you the power of SIM-based authentication.
Book a demo

Follow us on

Github iconTwitter iconLinkedIn icon

Is yours on the list?

It’s a well-known fact that passwords are the source of a huge amount of account security issues. From the hassle of resetting them to the risk of phishing and account takeover attacks, we’ve now got to memorise hundreds of passwords on average, as well as backing them up with MFA (multi-factor authentication).

In 2021, usernames and passwords really aren’t the most convenient way to prove our identity any more. They’re neither secure nor easy to use, and even ‘strong’ passwords are at risk of attack. It’s no wonder that many businesses are now turning to a variety of passwordless alternatives for authentication.

But as long as we’re reliant on passwords, most people are only concerned with convenience, and they’re the easiest targets. A Twitter poll by tru.ID found that 21% of people admit to still using the same password everywhere. But even worse, on top of this, it turns out that a lot of people are just typing the first thing that comes to mind – and they’re not that creative. 

With help from research by CyberNews, Specops, and SplashData, we’ve compiled some of the most common and easily guessed passwords as the worst offenders for 2021. If yours is on the list, it’s time to switch it up…

See tru.ID in action

In just 30 minutes, our team can show you the power of SIM-based authentication.
  1. 123456

It might be easy, but it turns out you’re not the only person who decided to run your finger along the top of your keyboard. ‘123456’ has been the most popular password worldwide for an astonishing eight years running. 

Common variants include ‘123456789’ or ‘12345’, or a repeated number like ‘111111’. But ‘123456’ is still at the top spot. Why stop at 6? We’ve no idea.

  1. qwerty

In a similar vein, whether it’s ‘qwerty’, ‘qwerty123’, or ‘1q2w3e4r’, if you’ve had the bright idea of making things easy by pressing keys nearby to each other, you’re not alone. 

Unfortunately, while such phrases may be nonsensical, the popularity of this quick solution means it’s also top of the list for malicious actors to try out.

  1. monkey

Monkeys are your favourite animal, and you need to pick something impersonal but memorable – seems logical, right? Curiously, many people have the same idea, with ‘monkey’ consistently ranking higher than other animals. 

This may be because other popular animals such as ‘dog’ and ‘cat’ are too short for most minimum character requirements. Other popular choices include ‘butterfly’, ‘penguin’ and the more fantastical ‘dragon’.

Generally it’s never a good choice to use a word as it appears in the dictionary – bots are easily able to run through dictionaries and try every single combination.

  1. cookie

On the same note, don’t be tempted by your favourite sweet treat when it comes to setting a password. Over 900,000 instances of ‘cookie’ were found in an analysis by CyberNews.

‘Chocolate’ and ‘butter’ were also highly ranked – perhaps sitting in front of a screen makes us tempted to reach for a sugary snack? 

  1. iloveyou

Aww, really? Although we don’t know how many people are sharing the love for their computer and how many just thought it was a memorable phrase, ‘iloveyou’ has ranked highly in the charts for years. 

While it’s better to use multiple words than just one, a less common combination than ‘those three words’ is probably the smarter move. Even worse, a lot of users greet their digital session with a simple ‘hello’.

  1. whatever

On the other hand, a lot of people evidently need to vent their frustrations about the inconvenience of memorising a password. 

‘Whatever’, ‘nothing’, and the more commanding ‘letmein’ are consistently highly featured, along with a wide range of expletives! (Remember, just because a word might be too rude for the dictionary, it doesn’t mean it isn’t well-known...) 

  1. football

Whether it’s American or global, ‘football’ is a very popular password choice, with ‘baseball’ and a range of other sports not far behind. Also numerous are the names of particular teams. 

Your password isn’t the wisest place to show the love for your team – especially if you’re vocal about your support for them elsewhere. 

  1. loki

Superheroes have always ranked highly for breached passwords, which is no surprise with the meteoric rise of comic book franchises on the big screen. But while ‘batman’ and ‘superman’ have long been popular, beating them both out this year is the God of Mischief. 

Other popular choices include ‘starwars’ and its cast of characters. Remember, anything you’re a known fan of – especially if it’s very popular – is going to be well-known to potential attackers as well. 

  1. password

There’s really no excuse for this one! We don’t need to tell you why ‘password’ isn’t exactly the Da Vinci code… but year after year it’s still incredibly overused, ranking 4th in breaches from 2021, according to SplashData. 

The prevalence of variants such as ‘test’, ‘admin’, ‘login , and ‘master’ also suggests that a lot of people are still using a default password that’s never been reset. Needless to say, you should change your password to something more secure as soon as possible.

  1. Your personal information

Occupying a special place on this list is an entry that’s individual from person to person. But whether it’s your own or a loved one, names are incredibly common password choices. If you combined together each instance, especially very popular names such as ‘ashley’, ‘bailey’, and ‘michael’, names would far outrank every other entry on the list. This is a problem for two reasons: not only are names short and easily guessed, but they’re also linked to you.


As a rule, you should never use information that can be gleaned from your social media presence, or public record, as a password or secret answer. So even if you change it to M1ch3ll3!, if your social media profile shows that your partner’s name is Michelle, it’s not going to take long for a targeted attacker to crack that code. The same goes for birthdays, anniversaries, place of birth, or anything else that’s known to be associated with you.

Account security shouldn’t end with passwords

Hopefully this article has reminded you of the importance of a unique password, but remember that all password-protected accounts are still vulnerable to account takeover attacks from social engineering or data breaches.

As well as practising good password hygiene by regularly changing your passwords and using a different one for each account, it’s best to back up your login security by opting for passwordless login and MFA (multi-factor authentication) whenever possible. 

Concerned about your customers and brand being impacted by weak passwords? Find out how SIM-based authentication with tru.ID can help your business to implement passwordless login as a primary or second factor. Sign up to start testing for free today.

You can read our tips about protecting yourself from SIM swap fraud here. For more security news from tru.ID, sign up for our newsletter below.

How to get started

tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.  
Start coding

Get this article in your inbox - get The Dot.

The Dot is our regular email about digital identity and news we're certain you'll find interesting.