Year after year, analyses show that millions of people make, to put it mildly, questionable choices when it comes to the passwords they use to protect their accounts. And fresh statistics for the year that is drawing to a close confirm that bad habits do die hard and many people willingly put themselves in the firing line of account-takeover attacks.

Drawing on an analysis of a total of 500 million passwords that were leaked in various data breaches in 2019, NordPass found that ‘12345’, ‘123456’ and ‘123456789’ reigned supreme in order of frequency. Between them, these numerical strings were used to ‘secure’ a total of 6.3 million accounts. It doesn’t get much more optimistic further down the list, however, as these three choices were followed by ‘test1’ and, the one and only, ‘password’.

Somewhat predictably, the chart is overall replete with many usual suspects among the most common passwords – think ‘asdf’, ‘qwerty’, ‘iloveyou’ and various other stalwart choices. Other supremely hackable passwords – including simple numerical strings, common names, and rows of keys – also abound. Much the same picture is painted annually by SplashData’s lists of the most-used passwords, such as last year, the year before that, and so on.

The entire list of the 200 most popular passwords is available in NordPass’ blog post, but here’s at least the top 25. Let that sink in.

1    12345
2    123456
3    123456789
4    test1
5    password
6    12345678
7    zinch
8    g_czechout
9    asdf
10    qwerty
11    1234567890
12    1234567
13    Aa123456.
14    iloveyou
15    1234
16    abc123
17    111111
18    123123
19    dubsmash
20    test
21    princess
22    qwertyuiop
23    sunshine
24    BvtTest123
25    11111

Eerily familiar?

If you recognize any of the above as your own, then fixing your passwords is almost certainly one of the things that deserve a place on your laundry list of New Year’s resolutions. For starters, fixing here means not having the exact same idea as millions of other people when you’re signing up to a service and are asked to create your password.

One way to go about this is opt for a passphrase, which, if done right, is generally a tougher nut to crack as well as easier to remember. The latter is especially useful if you don’t use password management software, which, somewhat unsurprisingly, has been shown to benefit both password strength and uniqueness. Yes, that passphrase should, of course, be unique for each of your online accounts, as recycling your passwords across various services is tantamount to asking for trouble.

You may also want to watch out for password leaks. There are a number of services these days where you can check if your login credentials may have been caught up in a known breach. Some of them even offer you the option to sign up for alerts if your login information is compromised in a breach.

In fact, as ours is an era where login data are compromised by the millions, why settle for one line of defence if you can have two? At the risk of repeating ourselves, two-factor authentication is a highly valuable way to add an additional layer of security to online accounts on top of your password.

About the author

Tomas Foltyn is a security writer at Eset, a global IT and cyber security solutions provider.