It doesn’t take a cryptologist to figure out that “123” isn’t exactly the hardest password to crack. Yet millions of people still use countless variations of it to lock up their digital-dependent lives, potentially exposing themselves to hackers.
In fact, more than 2.5 million people this year used “123456” as their password, which took less than one second to crack and was exposed nearly 24 million times.
That’s according to a list compiled by the password manager company NordPass, which ranked the 200 most common — and worst — passwords of 2020.
Perhaps not surprisingly, “123456” took the top spot on the company’s annual survey.
Evidently, adding more digits doesn’t help: “123456789” took the second spot and was exposed nearly 8 million times.
Using “password” as your password isn’t a great alternative, either. That ranked fourth and took less than a second to crack.
The 10 worst passwords were mostly composed of predictable number combinations, including “111111.”
But there were two new entries on this year’s list: “picture1,” which ranked third, and “senha,” which rounded out the top 10. (“Senha” is Portuguese for “password.”)
Some new passwords on NordPass’s list appear creative — such as “jacket025” and “trustno1” — but they, too, were easily cracked. There were also quite a few names on the list (sorry Ashley, Michelle, Jordan and Justin).
Other popular passwords include:
Despite constant warnings from cybersecurity experts about the dangers of online hacking, NordPass found that many of the most commonly used passwords in 2019 were still being used this year.
Chad Hammond, a security expert with the company, said that if you recognize your password among the top 200, change it immediately.
“Most of these passwords can be hacked in less than a second. Also, they have already been exposed in previous data breaches,” he said in a news release.
In recent years, the data of hundreds of millions of people have been breached. According to the database company Statista, breaches in the U.S. last year exposed nearly 165 million sensitive records.
Such exposure can be pricey. Identity theft can cost people thousands of dollars to resolve. The 2020 Identity Fraud Report by Javelin Strategy & Research found that fraud losses grew to nearly $17 billion in 2019, with consumers facing $3.5 billion in out-of-pocket costs that year.
Experts say strengthening passwords is a simple way to keep your personal information from becoming public.
“For example, your weak password can be used for credential stuffing attacks, where the breached logins are used to gain unauthorized access to user accounts. If you fall victim to a credential stuffing attack, you might lose your Facebook or another important account with all its content,” Hammond said.
“Also, your email address could be used for phishing attacks or for scamming your family and friends, who may very well fall for it, as the email will supposedly be coming from you,” he said.
NordPass recommends using complex, lengthy and unique passwords and then storing them in a password manager. Also, delete accounts you no longer use and regularly check the ones you do for suspicious activity.
- Use at least 10 characters; 12 is ideal for most home users.
- Try to be unpredictable. Don’t use names, dates or common words. Mix numbers, symbols and capital letters into the middle of your password, not at the beginning or end.
- Never use phone numbers, addresses, birthdays, your Social Security number, your name, family members’ names or pets’ names in your password.
- Don’t use the same password for many accounts. If it’s stolen from you — or from one of the companies where you do business — thieves can use it to take over all your accounts.
- Don’t share passwords on the phone, in texts or by email. Legitimate companies will not ask you for your password.
- Opt for two-factor authentication (2FA) or multi-factor authentication whenever offered to add an extra layer of protection to your accounts.
- Change your passwords regularly. Every three months is a good rule of thumb.
And remember, if you’re tired of trying to come up with clever passwords and you just type in “whatever,” that took less than a second to crack and was exposed nearly 200,000 times this year.
NordPass’s list of passwords was compiled in partnership with a third-party company specializing in data breach research. They evaluated a database that contained 275,699,516 passwords in total.