The worst passwords of 2020 show we are just as lazy about security as ever

Can’t we do any better than “123456”?
Written by Charlie Osborne, Contributing Writer

It's that time of year again -- when we see whether or not password security has improved over the past 12 months. 

Going back to 2015, the worst passwords still commonly used included "123456" and "password." Fast forward five years, and these examples are still very much alive. 

After analyzing 275,699,516 passwords leaked during 2020 data breaches, NordPass and partners found that the most common passwords are incredibly easy to guess -- and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered "unique."

See also: NSA publishes list of top vulnerabilities currently targeted by Chinese hackers

On Wednesday, the password manager solutions provider published its annual report on the state of password security, finding that the most popular options were "123456," "123456789," "picture1," "password," and "12345678."

With the exception of "picture1," which would take approximately three hours to decipher using a brute-force attack, each password would take seconds using either dictionary scripts -- which compile common phrases and numerical combinations to try -- or simple, human guesswork. 

As one of the entrants on the 200-strong list describes the state of affairs when it comes to password security, "whatever," it seems many of us are still reluctant to use strong, difficult-to-crack passwords -- and instead, we are going for options including "football," "iloveyou," "letmein," and "pokemon."

The 10 most common passwords of 2020, based on NordPass' dataset, are listed below:


CNET: Rules for strong passwords don't work, researchers find. Here's what does

When selecting a password, you should avoid patterns or repetitions, such as letters or numbers that are next to each other on a keyboard. Adding a capital letter, symbols, and numbers in unexpected places can help, too -- and in all cases, you should not use personal information as a password, such as birthdates or names. 

While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts. 

TechRepublic: Hackers for hire target victims with cyber espionage campaign

If you find it hard to remember complex passwords for different accounts, you may want to consider using a password locker. If you need somewhere to start, check out our recommendations for the best password managers and vaults in 2020

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards