Full Report
They can probably set up a printer faster, but look elsewhere for cryptography advice Gen Z can get off their digital high horses because their passwords are no more secure than their grandparents'.…
Analysis Summary
# Main Topic
Widespread poor password hygiene across different generations, with Gen Z exhibiting password security habits comparable to their older, "tech-illiterate" counterparts, specifically highlighting the prevalence of extremely weak, easily guessable credentials.
## Key Points
- Analysis by NordPass shows that Gen Z's most common passwords are only marginally better (by one digit) than those used by older generations.
- The top choice among users born in 1997 and younger was `"12345"`.
- `"123456"` was preferred by Millennials, Gen X, and Boomers.
- The string `"123456789"` remained the most common password globally for the sixth time in seven years.
- Passwords like the top choices can be cracked instantly, and attackers can efficiently compromise accounts using simple credential-stuffing (password spraying) against heavily used, common passwords.
- There is a slight positive trend showing increased use of special characters (like `@` replacing the letter 'A', e.g., "P@ssw0rd"), but it is not widespread enough to counter the overall security deficit.
- Default credentials, such as `"admin"`, `"welcome"`, and `"password"`, are still frequently found in the top 200 common passwords globally, raising concerns about default settings not being changed in organizational environments.
- Current cybersecurity awareness campaigns are failing to drive meaningful change in widespread password security habits.
## Threat Actors
- No specific, attributed threat actor groups or APTs are detailed in relation to this general trend analysis.
- The primary "actors" are general cybercriminals who benefit from mass credential stuffing facilitated by poor user choices.
## TTPs
- **Credential Stuffing/Password Spraying:** Attackers leverage the high prevalence of common passwords to rapidly test login combinations against various services/APIs. (This relies on user behavior rather than complex malware.)
- **Brute-Forcing Weak Passwords:** Exploiting passwords that are easily cracked, such as `"12345"`.
- **Use of Defaults:** Reusing common default credentials (`"admin"`, `"welcome"`) on corporate or personal systems.
- **Substitution:** Using common character swaps (e.g., `@` for 'A') to slightly modify common passwords, which is insufficient for real security.
## Affected Systems
- User accounts and authentication APIs across all systems relying on user-chosen passwords.
- Professional environments are affected by the widespread use of default administrator passwords.
## Mitigations
- Users must adopt password managers to generate and securely store unique, complex strings for every login.
- Organizations must enforce stronger password policies that prohibit easily guessed sequences and combinations.
- Users should be educated that common numerical sequences and dictionary words (even with minor substitutions) offer no meaningful protection.
## Conclusion
The report indicates persistent and severe failure in basic enterprise and consumer password hygiene across all generations, jeopardizing security. The effectiveness of previous educational efforts is questionable. The primary defensive recommendation centers on mandatory adoption of unique, complexity-enforced passwords generated by password managers, alongside active monitoring in organizational environments to detect default credentials.