People are still using very simple passwords, with many of them similar to the ones they used in 2019, according to NordPass.
Choosing and using the right type of password is one of the biggest challenges for technology users. Creating and managing a strong and unique password for each account is impossible without some type of help. And using the same weak passwords across the board exposes you to greater risk of your accounts being compromised.
SEE: Extra security or extra risk? Pros and cons of password managers (TechRepublic)
In the face of those challenges, many people still rely on passwords that are simple and easy to remember but provide little or no security. A report published Wednesday by password manager NordPass reveals the most common passwords for 2020 and offers advice on how to gravitate toward more secure ones.
Passwords that lead to data breaches
Among the 200 most commonly used passwords this year, "123456" took first place, used by more than 2.5 million people and exposed more than 23 million times in data breaches, according to NordPass's research. In second place was "123456789," used by more than 961,000 people and exposed more than 7.8 million times in breaches.
Taking third place was "picture1," a password new to the list of the 200 most common ones, and a bit more secure than the usual suspects. In the fourth spot was "password," followed by "12345678" in fifth place. Rounding out the top 10 were "111111," "123123," "12345," "1234567890," and finally, "senha," which is Portuguese for "password."
Among the 10 most common passwords, eight of them would take a hacker less than a second to crack. "Senha" would take 10 seconds to crack. Only "picture1" would put up more of a fight, taking three hours before being cracked.
"Most of these passwords can be hacked in less than a second," NordPass security expert Chad Hammond said in a press release. "Also, they have already been exposed in previous data breaches. For example, the most popular password '123456' has been breached 23,597,311 times."
Despite the risks, people continually use passwords that are easy to remember or the same from one account to another. More specifically, many people turn to familiar categories or topics to devise a password. NordPass's research found that using a series of sequential numbers is always popular since they're simple to remember and type. Letters based on the qwerty keys on a keyboard fall into that same mold.
Other people create passwords based on such categories as entertainment ("pokemon," "superman," "batman"), sports ("football," "soccer," "baseball"), food ("chocolate," "cookie," "pepper"), and devices ("myspace1," "computer," "samsung"). Still others turn to positive words, names, and even swear words.
"Your weak password can be used for credential stuffing attacks, where the breached logins are used to gain unauthorized access to user accounts," Hammond said. "If you fall victim to a credential stuffing attack, you might lose your Facebook or another important account with all its content. Also, your email address could be used for phishing attacks or for scamming your family and friends, who may very well fall for it, as the email will supposedly be coming from you."
Tips for managing passwords
In its report, NordPass provided a few tips for managing your passwords and your cybersecurity.
- Create a strong password. Never reuse passwords across multiple accounts. Create a unique one for each account and make them long. Don't settle for anything shorter than 12 characters, even more if you can. Use a mix of upper- and lower-case letters, numbers, and symbols to significantly lower the risk of getting your passwords cracked. Also, make sure to change your passwords at least every 90 days. To create a complex, robust password, take advantage of a Password Generator.
- Avoid a weak password. Avoid using dictionary words, number combinations, or strings of adjacent keyboard combinations. For instance, "password," "qwerty," and "123456" are terrible passwords as they are too easy to crack. Also, refrain from repetitive characters, such as "aaaa" or "123abc." Under no circumstances choose passwords based on personal details that might not be completely confidential, such as your phone number, birth date, or name.
- Try password salting. Add random characters to your password before you use it. You can learn more about password salting at this NordPass blog post from August 2020.
- Delete the accounts you no longer use and regularly check the ones you do for suspicious activity.
- Use two-factor authentication when possible.
- Use a password manager. Memorizing a number of random, complex passwords and having to manually type them every time is no picnic. Thankfully, you can make your life easier with a password manager. Such tools can generate unique, strong passwords, securely store them in an encrypted vault, and use the autofill feature to log in to your online accounts on the go.
NordPass compiled the list of passwords in partnership with a third-party provider, which analyzed a database of 275,699,516 passwords. Of those, just 122,894,788, or 44% of them, were unique.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)