What the 2020 Most Common Passwords Reveal About Your Online Security

Preface

Yesterday a friend’s account on a shopping site was hijacked because she used an extremely simple password – literally "password". The breach was detected quickly, the account was recovered, and she was warned never to use such weak passwords again.

NordPass Report

After handling other matters I looked up the NordPass password manager’s report on the 2020 most common 200 passwords (see https://nordpass.com/most-common-passwords-list/).

The top password is 123456 , used by over 2.5 million people and responsible for more than 23 million data‑leak incidents. 123456789 and password rank second and fourth, with 960 000 and 360 000 users respectively.

Surprisingly, the third‑ranked entry is a newly listed password called picture1 , which is slightly harder to crack (about three hours) compared to the other top‑ten passwords that can be broken in seconds.

The fifth to tenth most common passwords are 12345678 , 111111 , 123123 , 12345 , 1234567890 , and senha . Notably, 12345 dropped from first to eighth place, likely due to increased minimum‑length requirements on many sites. senha simply means “password” in Portuguese, explaining its prevalence in Portuguese‑speaking regions.

NordPass notes that many users choose simple passwords for ease of memorisation, which makes them extremely vulnerable. The list is dominated by sequential numbers, keyboard‑order letters, common English words (names, sports, foods), and everyday phrases.

12 Common Password Categories

Security Advice

Based on these findings, NordPass recommends the following password‑management practices:

Use strong passwords and avoid weak ones

Do not reuse the same password across multiple accounts; each account should have a unique password that you can remember. Consider using a password manager to generate and store complex passwords.

Ensure passwords are sufficiently long and complex, mixing uppercase and lowercase letters, numbers, and symbols. Change passwords regularly and avoid predictable patterns such as "password", "qwerty", "123456", "aaaa", or "123abc". Never use personal information like phone numbers, birth dates, or names.

Insert random characters and delete unused accounts

Add random characters to make passwords less predictable, and promptly remove accounts you no longer use to reduce exposure risk.

Also be aware that phishing emails can lead to credential theft; avoid clicking unknown links.

Losing an account is distressing and can cause further losses, so always pay attention to password security.