The most common passwords of 2020 are atrocious

Shawn Knight

Posts: 12,692   +124
Staff member
Bottom line: Choosing secure passwords has never been humanity’s strong suit and let’s face it, it’s never going to be. People simply have too many accounts to protect these days, leading to poor practices such as simplifying passwords to make them easier to remember and reusing the same password across multiple accounts.

Countless efforts have been made to encourage best practices. There’s no shortage of password managers on the market capable of storing complex passwords for all of your accounts with a single master password. Some have even invested heavily in eliminating traditional passwords entirely.

Yet, here we are at the end of 2020, looking at a list of the top 200 most common passwords that is remarkably similar to the same list we see year in and year out. Will we ever learn?

According to password manager NordPass, the top five worst passwords of 2020 include 123456, 123456789, picture1, password and 12345678, in that order. Excluding picture1, each of the other four common passwords would take less than one second to crack.

If you need help creating a strong password, NordPass has some advice. Never reuse passwords across multiple accounts – each account should have its own unique password that consists of no less than 12 characters. A mix of upper- and lower-case letters, symbols and numbers will reduce the risk of having your password cracked. It’s also a good idea to change your password on a regular basis – say, every 90 days.

For many, a password manager is the way to go. It uses just one master password, can create unique, complex passwords for all of your accounts and stores them in an encrypted vault. Most managers can even auto-fill credential fields to expedite the login process.

Image credit: Kaspars Grinvalds, Vitalil Vodolazskyi

Permalink to story.

 

Plutoisaplanet

Posts: 333   +405
For anyone who doesn't use a password manager, here's what my previous generated password was for TechSpot (no other site had this password). I'm probably going to change it again in a couple of months.
 

Neojt

Posts: 243   +80
So after reading this part

"According to password manager NordPass, the top five worst passwords of 2020 include 123456, 123456789, picture1, password and 12345678, in that order. Excluding picture1, each of the other four common passwords would take less than one second to crack."

Your telling me its better to put all my username/passwrod and where to use it in a platform that appears to know the top 5 worst passwords that its users have. humm let me no be convinced here!

I use password manager, but an offline version (keypass) dont trust these platforms with all my creds
 

RedBlu

Posts: 10   +11
"NordPass has some advice. Never reuse passwords across multiple accounts – each account should have its own unique password that consists of no less than 12 characters. A mix of upper- and lower-case letters, symbols and numbers will reduce the risk of having your password cracked."
Argh. I hate this recommendation. A randomly generated password of letters, numbers, and symbols has only ~80 possibilities per symbol. For a n-length password that's only 80^n possible combinations. In this case 6.2x10^22 for a 12 character password that is impossible for regular humans to remember.

OR, use a dictionary five-word passphrase which for the Oxford dictionary would be 170000^5=1.4x10^26 possible combinations IF the attacker even knows what dictionary you're using. Hell, throw in a Spanish dictionary and you double the entropy to 340000^5=4.5x10^27. "batterystaplesiestaequivilentyoga" is more memorable and type-able than "Ks4&9^eFDEPI", AND you can always salt it with a random capital letter, number, or symbol too.

Edit: so even "batterystapleSiestaequivilentyoga" is more secure since, even if the attacker knows you're using an oxford and spanish dictionary AND capitalizing a word in the phrase again doubles the entropy to 680000^5=1.4x10^29 combinations. Equivalently, a bruteforce attack with only lower- and uppercase alphabet (52^33) has 33^52 combinations.
 
Last edited:

wiyosaya

Posts: 5,486   +3,582
Argh. I hate this recommendation. A randomly generated password of letters, numbers, and symbols has only ~80 possibilities per symbol. For a n-length password that's only 80^n possible combinations. In this case 6.2x10^22 for a 12 character password that is impossible for regular humans to remember.

OR, use a dictionary five-word passphrase which for the Oxford dictionary would be 170000^5=1.4x10^26 possible combinations IF the attacker even knows what dictionary you're using. Hell, throw in a Spanish dictionary and you double the entropy to 340000^5=4.5x10^27. "batterystaplesiestaequivilentyoga" is more memorable and type-able than "Ks4&9^eFDEPI", AND you can always salt it with a random capital letter, number, or symbol too.

Edit: so even "batterystapleSiestaequivilentyoga" is more secure since, even if the attacker knows you're using an oxford and spanish dictionary AND capitalizing a word in the phrase again doubles the entropy to 680000^5=1.4x10^29 combinations. Equivalently, a bruteforce attack with only lower- and uppercase alphabet (52^33) has 33^52 combinations.
Best comment of the day, IMO. This is consistent with the current password advice from CERT. https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
I do use the same password in multiple sites, however, at least one of them is a 50 character long phrase. Another one is a 30 character long phrase. There is no way that any human, or computer, for that matter, is going to crack either of those. Even a simple phrase with characters and/or numbers in it is going to be difficult to crack. The best thing about phrases is that they are easy to remember. A string of random characters is not easy to remember.
 

Mister_K

Posts: 1,979   +632
I use Dashlane for a lot of websites to auto-generate the password. For the ones I access frequently I have 3 trier password system. Less important sites phrase 1, more important sites phrase 2 and any financial or email related accounts are phrase 3.
 

p51d007

Posts: 2,565   +1,845
I still say that people that do this, should make their password, the word "incorrect". That way, when they enter it wrong, it will pop up and say "your password is INCORRECT" making it much
easier for them LOL.
 
  • Like
Reactions: killmess and Tommis

brucek

Posts: 577   +700
TechSpot Elite
An interesting report to present in parallel to this would from the customer service managers at any large operation, involving how much of their time is wasted by customers who can not remember their passwords. Certainly I have people in my life who no matter what I do to try and coach them, I will get panicked calls about them being locked out of their Apple, Google, or Facebook ecosystems because they forgot their password, again (meaning they also forgot where they wrote it down, or what they did with that piece of paper, etc.) These are the same people who are going to tune out before you can finish saying "password manager".
 
  • Like
Reactions: CPO2U

Godel

Posts: 246   +144
It is NOT a good idea to change your passwords every three months, both American NIST and British GCHQ recommendations say so.

The current advice is to choose a decent password to start with and only change it if your organization has been hacked. Use a password manager!
 
  • Like
Reactions: CPO2U

DrSuess

Posts: 35   +12
So after reading this part

"According to password manager NordPass, the top five worst passwords of 2020 include 123456, 123456789, picture1, password and 12345678, in that order. Excluding picture1, each of the other four common passwords would take less than one second to crack."

Your telling me its better to put all my username/passwrod and where to use it in a platform that appears to know the top 5 worst passwords that its users have. humm let me no be convinced here!

I use password manager, but an offline version (keypass) dont trust these platforms with all my creds
I use an online password manager but it requires a FIDO2 hardware key. If you have my username and password you still cannot access my passwords without the FIDO2 hardware key. The usernames/passwords are encrypted with AES 256 and cannot be decrypted without the hardware key. Password managers are fine if they support multi-factor authentication (MFA)
 
  • Like
Reactions: CPO2U

QuaZulu

Posts: 76   +18
TechSpot Elite
Color me skeptical ... but how in the heck does NordPass know what "the most popular passwords" are?! Seems to me to be an advertising ploy for their program. Throw this "news" out there every few months (how many times have I read this same story - just switch out the year) and see a few people running to NordPass for a "solution" every time. See?! They even got me to say "NordPass" three times! Argg!
 
  • Like
Reactions: CPO2U and killmess

wujj123456

Posts: 43   +16
TechSpot Elite
Best comment of the day, IMO. This is consistent with the current password advice from CERT. https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
I do use the same password in multiple sites, however, at least one of them is a 50 character long phrase. Another one is a 30 character long phrase. There is no way that any human, or computer, for that matter, is going to crack either of those. Even a simple phrase with characters and/or numbers in it is going to be difficult to crack. The best thing about phrases is that they are easy to remember. A string of random characters is not easy to remember.
"Never reuse passwords across multiple accounts."

While you other points are true, this specific part of not reusing password is orthogonal to how strong your password is. You never know which website you registered is storing your password in plaintext in a database not properly secured from the public. There has been no shortage of such embarrassing leaks. Using unique password for each website helps to ensure one clueless website/admin can't screw you over multiple websites.

Sure no way you can remember 100+ unique long passwords or passphrases, which is where password manager comes in. Keep the long and strong password you will actually remember as the password for the manager and generate everything thing you hand out randomly.
 

poohbear

Posts: 520   +409
"According to password manager NordPass, the top five worst passwords of 2020 include 123456, 123456789, picture1, password and 12345678, in that order. Excluding picture1, each of the other four common passwords would take less than one second to crack."
But don't they have a business incentive with this recommendation?

Also, what if someone hacks your password manager? You just put all your eggs in one basket and BOOM, it's hacked!
 
  • Like
Reactions: CPO2U and wiyosaya

captaincranky

Posts: 16,211   +4,971
I'm not sure I need one of these long complex passwords for sites like Techspot. After all, what's the worst thing that could happen if my Techspot password was hacked? Someone would break in and play nice with the other children?

Let's face facts. Should someone hack my account, and was rude, insolent, hated Donald Trump and Elon Musk, you think it was me anyway. :p :rolleyes:
 
Last edited:
  • Like
Reactions: CPO2U

Neojt

Posts: 243   +80
But don't they have a business incentive with this recommendation?

Also, what if someone hacks your password manager? You just put all your eggs in one basket and BOOM, it's hacked!
Yeah because good point ppl that use "password" as their bank credential are most likely to have a weak password on their password manager.

plus if everyone is on them, that means hacker simply just have to focus all of their attacks at a single point.
 

CrisisDog

Posts: 201   +101
I do use the same password in multiple sites, however, at least one of them is a 50 character long phrase. Another one is a 30 character long phrase. There is no way that any human, or computer, for that matter, is going to crack either of those. Even a simple phrase with characters and/or numbers in it is going to be difficult to crack. The best thing about phrases is that they are easy to remember. A string of random characters is not easy to remember.
It's not a matter of cracking the password, it's a matter of some IT guy on the other end not running patch to properly secure your credentials. Your system may get a keylogger installed without your knowledge also. So, yeah, using same password across multiple sites = bad idea.
 

Puiu

Posts: 4,145   +2,785
TechSpot Elite
I'm not sure I need one of these long complex passwords for sites like Techspot. After all, what's the worst thing that could happen if my Techspot password was hacked? Someone would break in and play nice with the other children?

Let's face facts. Should someone hack my account, and was rude, insolent, hated Donald Trump and Elon Musk, you think it was me anyway. :p :rolleyes:
Worse, they could change your avatar... that's crazy.
 

Avro Arrow

Posts: 374   +393
I have a very different way of generating passwords that are very secure and I can remember in my own head.

Of course, I'm not going to say anything more about it. :D
 

CPO2U

Posts: 76   +33
I have a very different way of generating passwords that are very secure and I can remember in my own head.

Of course, I'm not going to say anything more about it. :D
My name is Professor Xavier, and... man... you have some STUFF in your head! 😂
 

ziffel66

Posts: 81   +110
This type of article, the advert disguised as an article, is the way most sites are dealing with ad-blockers, it would seem. This is just an ad for NordPass.