Report: More than half of 2019’s worst passwords still in use

Many of last year's worst passwords are still being used in 2020, with '123456' being the most common terrible password. — GINO CRESCOLI/Pixabay

Internet users don’t appear to have learnt their lesson, with more than half of the 200 worst passwords from last year making it to the 2020 list.

Password management firm NordPass revealed that only 78 of the passwords on this year’s list of the most terrible – and the most common – passwords were new.

The popularity of a password was based on several factors including how many times a password has been exposed, used and how much time it would take to crack.

Of the top 10 worst passwords, seven only used numbers, with the top offender being just ‘123456’.

The third, fourth and tenth-ranked worst passwords were words in lowercase: ‘picture1’, ‘password’ and ‘senha’, respectively. Amusingly, senha is Portuguese for password.

“According to research, the majority of people use simple and easy-to-remember passwords, because it’s convenient. But the problem is that most memorable passwords are highly vulnerable to cracking,” said the company in its report.

It found that the top 200 worst passwords generally fell into 12 categories: Numbers, Qwerty, Swear Words, Devices, Password, Names, Entertainment, Sports, Positive Words, Random Letters, Food and Miscellaneous.

Terrible passwords were usually a combination of being easy to guess as well as being overused, resulting in it being faster and easier to crack.

For instance ‘123456’ was recorded as being used by 2,543,285 accounts and had been compromised 23.59 million times, while the average hacking time took under a second.

In comparison, the newer bad passwords took more time and were still novel. The password ‘picture1’ had been used by 371,612 accounts and compromised 11,190 times, and took an average of three hours to hack.

NordPass recommended that the public avoid using dictionary words, number combinations, or strings of adjacent keyboard combinations like “password”, “qwerty”, or “123456”.

“Under no circumstances choose passwords based on personal details that might not be completely confidential, such as your phone number, birth date, or name,” it added.

Instead users are recommended to use a unique password for each account, making it longer than 12 characters, while using a mix of upper- and lower-case letters, numbers and symbols.

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 18
Cxense type: free
User access status: 3



Did you find this article insightful?


86% readers found this article insightful

Next In Tech News

Charli D'Amelio becomes first influencer with over 100 million followers on TikTok
If the road’s even a little slippery, get off that eScooter
Robots are taking on new tasks in South Korean hospitals and restaurants
Russia opens case against Google, saying it failed to delete banned content
Three of the world's iconic libraries are now home to computer code archives
US states prepping second antitrust lawsuit against Google for next month
Snap to pay US$1mil a day to creators for Spotlight videos
Alibaba CEO says China's scrutiny of Internet platforms is needed
Co-founder of viral ALS Ice Bucket Challenge dies at 37
Google changes targeted by rivals in complaint to UK regulator

Stories You'll Enjoy