Internet users don’t appear to have learnt their lesson, with more than half of the 200 worst passwords from last year making it to the 2020 list.

Password management firm NordPass revealed that only 78 of the passwords on this year’s list of the most terrible – and the most common – passwords were new.

The popularity of a password was based on several factors including how many times a password has been exposed, used and how much time it would take to crack.

Of the top 10 worst passwords, seven only used numbers, with the top offender being just ‘123456’.

The third, fourth and tenth-ranked worst passwords were words in lowercase: ‘picture1’, ‘password’ and ‘senha’, respectively. Amusingly, senha is Portuguese for password.

“According to research, the majority of people use simple and easy-to-remember passwords, because it’s convenient. But the problem is that most memorable passwords are highly vulnerable to cracking,” said the company in its report.

It found that the top 200 worst passwords generally fell into 12 categories: Numbers, Qwerty, Swear Words, Devices, Password, Names, Entertainment, Sports, Positive Words, Random Letters, Food and Miscellaneous.

Terrible passwords were usually a combination of being easy to guess as well as being overused, resulting in it being faster and easier to crack.

For instance ‘123456’ was recorded as being used by 2,543,285 accounts and had been compromised 23.59 million times, while the average hacking time took under a second.

In comparison, the newer bad passwords took more time and were still novel. The password ‘picture1’ had been used by 371,612 accounts and compromised 11,190 times, and took an average of three hours to hack.

NordPass recommended that the public avoid using dictionary words, number combinations, or strings of adjacent keyboard combinations like “password”, “qwerty”, or “123456”.

“Under no circumstances choose passwords based on personal details that might not be completely confidential, such as your phone number, birth date, or name,” it added.

Instead users are recommended to use a unique password for each account, making it longer than 12 characters, while using a mix of upper- and lower-case letters, numbers and symbols.