What are the worst passwords to use in 2022?

Password field on Instagram app
Be strong: don't rely on easy-to-remember passwords

No matter how often people are warned not to, they still choose daft, easily guessable passwords. If you’re using one of the 20 passwords on the list below, you’re putting yourself at enormous risk because any attack on the service/device in question will likely have these commonly used passwords at the top of the list to try. Here, then, are the worst passwords to use in 2022 – followed by some advice on how to choose stronger passwords.

The worst passwords of 2022

The list below comes from the security firm, Lookout. These are the 20 most common passwords found in data leaks that were published on the so-called Dark Web:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. qwerty123
  11. 1q2w3e
  12. 1234567890
  14. 000000
  15. abc123
  16. 654321
  17. 123321
  18. qwertyuiop
  19. Iloveyou
  20. 666666

How to choose a strong password

By far the safest way to deal with passwords is not to try and remember them yourself – that will inevitably lead to you choosing weak passwords and/or reusing the same passwords on different sites. Both of which are terrible for your security.

Instead, use a password manager. I’d strongly recommend Bitwarden – you can read my Bitwarden review here. This includes a strong password generator that will ensure your passwords are difficult to crack and then store them all for you. It works on PC, Mac, iPhone, Android and all manner of other devices, and it’s free.

I wouldn’t recommend saving your passwords to a web browser. However, if you want to continue using your browser or another means of storing passwords, at least make sure those passwords are strong.

Andy Johnson’s article suggests several good methods for choosing strong passwords. Alternatively, LastPass has a strong password generator here or use the one in your browser’s password manager. For instance, if you have Google Chrome’s password manager turned on, it will normally offer to create a strong password for you when you click into a field asking you to choose a new password.

Want to check if your password has already been leaked in a data breach? Pop your email address into the brilliant HaveIBeenPwned (don’t worry, it’s not an adult website) and you’ll soon discover if it’s been leaked. Make sure to change the password on any accounts that HaveIBeenPwned reveals have been breached – and on any sites where you might have re-used the same breached password.

About the author

Barry Collins

Barry has scribbled about tech for almost 20 years for The Sunday Times, PC Pro, WebUser, Which? and many others. He was once Deputy Editor of Mail Online and remains in therapy to this day. Email Barry at

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.