Oh God, the Worst Passwords of 2020 Are Here and They're Horrifying

Illustration for article titled Oh God, the Worst Passwords of 2020 Are Here and They're Horrifying
Photo: Gizmodo

We’re still doing this, huh?

It’s that time again. Each year’s end brings list after list of the worst data security sins and a ranking of password no-nos, and it appears that many of us have learned nothing from the security shortcomings of our past. According to a list of the 200 worst passwords of the year from password manager NordPass, millions of people are still using “123456" and “password” for their various login credentials—passwords found year over year to be two of the worst you can use to protect your data. And folks, we have got to stop doing this.


The most frequent offenders of years past appeared again in the top 20 or so of this year’s ranking from NordPass. Those frequently involve some variation of the number bar, such as “000000" or “123123,” and typically take less than a second to crack. The most popular among these, “123456,” has been breached more 23 million times alone, according to NordPass. Similarly, any adjacent-key letter jumble you might think is adding extra security to your account, such as “qwertyuiop” or “asdfghjkl,” can easily be cracked in less than a second’s time, the company said. Below is a sampling of the top 20 worst passwords, but you can see NordPass’s full list right here.

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678
  6. 111111
  7. 123123
  8. 12345
  9. 1234567890
  10. senha
  11. 1234567
  12. qwerty
  13. abc123
  14. Million2
  15. 000000
  16. 1234
  17. iloveyou
  18. aaron431
  19. password1
  20. qqww1122

This year, “picture1” ranked third on the list for worst passwords—that’s new, according to the company. NordPass says this word and letter combination will take about three hours to crack, but that still makes it exceptionally weak. Similarly, even a password that added an uppercase letter like “Million2" landed in its top 15 category and was exposed more than 162,000 times. The takeaway here is that any password combination that’s easy or memorable likely isn’t strong enough to protect your data, even if you add a number, uppercase letter, or special character.

Data breaches are going to happen no matter what, but making sure that all of your passwords are complex and unique to each of your individual accounts can prevent a bad actor from using one exposed login to access your data elsewhere. Ultimately, the easiest way to do this is to use a password manager, whether that’s through a third-party service like LastPass or 1Password or something like Apple’s iCloud Keychain. Additionally, enable two-factor authentication wherever possible. (And try to avoid SMS forms as those can be weaker, though any 2FA is better than no 2FA.) NordPass also recommends deleting old and no-longer-used accounts.

And please, do not use “123456” as a password. Anywhere. Don’t do it!


Times up, time to leave!

Many years ago I was doing a software upgrade in a company accounts department, it was close to Christmas and the staff were going out for their Christmas party for the afternoon. The manager shouted out to everyone to write down their passwords for me so I could access their PC’s while they were gone and to be sure to reset it the next day.

Everyone came over and slapped a post-it on the desk I was sitting at, one gal looked very unamused and red faced as she slapped hers down on the pile. As I worked around the office I got to her desk and found her note, her password was D1ckpupp3t.