Oh God, the Worst Passwords of 2020 Are Here and They’re Horrifying

Oh God, the Worst Passwords of 2020 Are Here and They’re Horrifying
Photo: Gizmodo

We’re still doing this, huh?

It’s that time again. Each year’s end brings list after list of the worst data security sins and a ranking of password no-nos, and it appears that many of us have learned nothing from the security shortcomings of our past. According to a list of the 200 worst passwords of the year from password manager NordPass, millions of people are still using “123456″ and “password” for their various login credentials — passwords found year over year to be two of the worst you can use to protect your data. And folks, we have got to stop doing this.

The most frequent offenders of years past appeared again in the top 20 or so of this year’s ranking from NordPass. Those frequently involve some variation of the number bar, such as “000000″ or “123123,” and typically take less than a second to crack. The most popular among these, “123456,” has been breached more 23 million times alone, according to NordPass. Similarly, any adjacent-key letter jumble you might think is adding extra security to your account, such as “qwertyuiop” or “asdfghjkl,” can easily be cracked in less than a second’s time, the company said. Below is a sampling of the top 20 worst passwords, but you can see NordPass’s full list right here.

  1. 123456

  2. 123456789

  3. picture1

  4. password

  5. 12345678

  6. 111111

  7. 123123

  8. 12345

  9. 1234567890

  10. senha

  11. 1234567

  12. qwerty

  13. abc123

  14. Million2

  15. 000000

  16. 1234

  17. iloveyou

  18. aaron431

  19. password1

  20. qqww1122

This year, “picture1” ranked third on the list for worst passwords — that’s new, according to the company. NordPass says this word and letter combination will take about three hours to crack, but that still makes it exceptionally weak. Similarly, even a password that added an uppercase letter like “Million2″ landed in its top 15 category and was exposed more than 162,000 times. The takeaway here is that any password combination that’s easy or memorable likely isn’t strong enough to protect your data, even if you add a number, uppercase letter, or special character.

Data breaches are going to happen no matter what, but making sure that all of your passwords are complex and unique to each of your individual accounts can prevent a bad actor from using one exposed login to access your data elsewhere. Ultimately, the easiest way to do this is to use a password manager, whether that’s through a third-party service like LastPass or 1Password or something like Apple’s iCloud Keychain. Additionally, enable two-factor authentication wherever possible. (And try to use non-SMS forms that can be weaker, though any 2FA is better than no 2FA.) NordPass also recommends deleting old and no-longer-used accounts.

And please, do not use “123456” as a password. Anywhere. Don’t do it!