Worst passwords of the decade: A historical analysis

March 15, 2021 by

Christine McKenzie

Cybersecurity breaches are on the rise, so it’s perplexing that so many people continue to use the same basic passwords. Perhaps it’s the exhaustion of having to remember dozens of unique passwords? Whatever the reason, using a “bad” password won’t keep the bad guys out. 

In an effort to raise awareness about the dangers of poor account security, password manager NordPass released an exhaustive list of the 100 worst passwords of the year. Curious cybersecurity minds might also be wondering, “exactly how much has password security changed in the last 10 years?” We’ve got an answer for you! 

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

What’s a “bad” password? 

So, what makes a password bad? There are a couple of things that cybersecurity experts recommend avoiding when creating a password: 

• Passwords that are easily guessable, like “password,” “user” or your username
• Passwords based on words found in the dictionary 
• Passwords made from adjacent keyboard combinations, like “123456,” “qwerty” or “asdfghj” 
• Passwords that are less than eight characters in length (short passwords are way easier to crack via brute force methods) 
• Passwords that have been re-used across multiple sites 

Now that we have an idea of what constitutes a weak password, let’s jump into those lists of the worst passwords from the past decade. 

Worst passwords of 2020

The year 2020 is in the rearview mirror, but just like a bad dream, some of the worst passwords of the year are lingering at the dawn of this new decade. And thanks to password management tool NordPass, we can ogle the worst of the bunch and try not to cringe inwardly if we recognize any of them from our own password rolodexes. 

Here are the top 20 worst passwords of 2020 (if you’d like to view all 100, check out the NordPass list): 

1. 123456
2. 123456789
3. picture1
4. password
5. 12345678
6. 111111
7. 123123
8. 12345
9. 1234567890
10. Senha
11. 1234567
12. qwerty
13. abc123
14. Million2
15. 000000
16. 1234
17. iloveyou
18. aaron431
19. password1
20. qqww1122

Notice any patterns? Lots of these passwords are based on adjacent keyword sequences like “1234567” and “qwerty.” Others are obvious (“password”) or dictionary words (“million” and “picture”). None contain special characters, and most are shorter than the recommended 10 character minimum. In fact, many of the items on this password list would take a hacker less than one second to crack. That means in less time than it takes for you to read this sentence, someone would have broken into your account. Yikes! 

So, how do 2020’s worst passwords stack up against the worst of 2011? 

Time capsule: Worst passwords of 2011

Let’s step back in time for a moment. A lot has happened in the world since 2011 — especially in the world of cybersecurity. In the last decade, major organizations like Target, Equifax and the Democratic National Convention (DNC) have lost millions of log-in credentials and billions of pieces of sensitive user-data including names, social security numbers, credit card numbers, and private email conversations. We’ve also seen a dramatic rise in the number of reported data breaches. While in 2010 just over 660 breaches were recorded, that number rose to 1,500 in 2019. 

In light of that, we should expect today’s passwords to be much stronger than they were a decade ago, right? Not so fast. Take a look at the worst password list of 2011, according to a report by SplashData: 

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. Football

What changed? 

If you’re asking yourself that question, you may be surprised to learn that the decade’s most common passwords haven’t changed as much as you might have expected. In fact, the lists share more than one overlap, although ranks have shifted around a bit. 

• The password “Password” went from #1 in 2011 to #4 in 2020, and “123456” rose in the ranks from #2 in 2011 to #1 in 2020. The ever-popular “qwerty” has dropped from #4 in 2011 to #12.
• Random names are still a thing in 2020, but different names — while Ashley (#16), Bailey (#17), and Michael (#24) reigned supreme in 2011, they’ve given up the crown to Aaron (#18) in 2020.
• In general, 2020 passwords appear to utilize more number and letter sequences, whereas in 2011, names and dictionary words (football, superman, dragon, sunshine) were more popular. 

What stayed the same?

A handful of the passwords that gained notoriety in 2011 are stubbornly clinging to the password list in 2020. These include 111111, 123456, 123123, password and qwerty. Despite having a decade to take them out of rotation, many users opted to keep using these common passwords. Why? The answer most likely lies with a phenomenon called password fatigue. 

In a nutshell, password fatigue describes the frustration and exhaustion of having to memorize dozens of different passwords for a whole range of accounts, from email clients to banking apps. One of the side effects of password fatigue is that people, understandably, get lazy. They reuse the same common passwords over and over again. They fall back on the same basic, easy-to-remember passwords like “password.” While that alleviates the daily frustration of password fatigue, it leaves accounts wide-open to attackers. 

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

Future of passwords

Passwords have been a staple of account security for years, but some cybersecurity experts are looking ahead to a passwordless future. Password fatigue is real, and hackers are getting better at guessing, cracking and stealing passwords. In the coming years, we may see passwords replaced by newer, sleeker passwordless systems like Web Authentication and Client to Authenticator Protocol (CTAP). But in the meantime, it’s recommended that you stick to password best practices when securing your accounts.

Was your password on the list? If it was, don’t be embarrassed — you’re obviously not alone! Instead, take this as a wake-up call that your password isn’t actually as secure as you once thought it was. Take this opportunity to update your passwords to something harder to crack, or better yet, invest in a password manager like LastPass or Dashlane. Make 2021 the year you kiss your old password goodbye, and ring in the new decade with safety, security and peace of mind.

Sources

• Top 200 most common, NordPass
• Annual number of data breaches and exposed records, Statistica
• A brief history of the password problem, TeamsID
• What is password fatigue?, JumpCloud
• FIDO2: WebAuthn & CTAP, FIDO Alliance