The worst passwords of 2020 and how to secure your accounts

Passwords are one of the most vital defenses that stand between your data and cybercriminals.

Passwords are one of the most vital defenses that stand between your data and cybercriminals. A well-thought-out password dramatically reduces the risk of data breaches, while a weak one lets hackers easily infiltrate critical systems. Sadly, many Australians still use the latter. A government report found that 133 data breach incidents in early 2020 resulted from compromised login credentials.

What’s even worse is that millions of people are still using simple and generic passwords for multiple logins. The worst passwords in 2015, such as ‘123456’ and ‘password’, continue to be the most popular options among the most careless computer users today.

Here’s a condensed list of the most frequently used (and therefore weakest) passwords of 2020:

  1. 123456
  2. picture1
  3. password
  4. 111111
  5. 123123
  6. senha
  7. qwerty
  8. abc123
  9. Million2
  10. iloveyou

What’s wrong with these passwords?

Passwords are meant to be unique sequences that only one user should know. Therefore, using a sequence that’s used by several others defeats the intended purpose of a password. Not only that, but passwords like ‘123456’ and ‘password’ can be guessed in less than a second. In fact, when cybercriminals attempt to break into an account, they’ll attempt to log in with these passwords first. The most popular password, ‘123456’, has actually been breached over 23 million times, so there’s no reason why you should ever use it.

Even combining popular passwords won’t give hackers the slip, as Western Australian Government officials learned. A security audit found that 1,464 people protected their accounts with ‘Password123’, which hardly poses a challenge for cybercriminals.  

Hackers also utilise brute force cracking software that essentially tries every leaked or stolen password-username combination until it guesses the correct one. Adding numbers, special characters, and uppercase letters may make a password more complex, but they’re not enough to slow down cracking software. Even though passwords like Million2 and picture1 are less common, they can still be cracked within three hours. That’s because the shorter a password is, the faster hackers can compromise it with brute force.

Password best practices

It goes without saying that if you currently use any of the passwords on the aforementioned list, you need to change them immediately. There are a few golden rules you must follow to properly protect your accounts:

1. Consider ‘passphrases’ instead of passwords

Passwords must be strong and hard to guess. The best way to accomplish this is to set long ‘passphrases’, so that hackers don’t easily stumble into your accounts. Even with powerful computers and brute force software, hackers can take 48,000 years to crack a 12-character password. This means aiming for passwords that are 16 to 20 characters long will make your accounts extremely challenging to hack.    

Of course, it’s important that the passphrase itself should be unique. Frequently iterated phrases like ‘iloveyou’ take mere seconds to crack, but a phrase with a random combination of words is far stronger. For example, nonsense passphrases like ‘chocolate_anthology_rugby’ can take millennia for hackers to compromise. You should also increase the complexity of your long passphrases by including numbers, special symbols, and upper- and lowercase letters.  

2. Never reuse passwords across accounts

Recycling the same passwords over and over again is one of the biggest security offences you can make. If hackers manage to compromise one set of passwords, they’ll be able to break into other accounts tied to those login credentials. This is known as credential stuffing, and it’s what led to over 500,000 compromised Zoom accounts in 2020. Setting passwords unique to each account is the only way to prevent these types of breaches.

3. Use password managers

If remembering dozens of long and complex passwords is too difficult, password managers like 1Password and Dashlane are vital. These keep all passwords for each of your accounts locked in a secure password-protected vault. This way, you only have to remember one master password to log into your accounts. Plus, password managers can generate strong passwords on the fly, saving you time when you need to reset passwords every year.  

4. Don’t disclose your password to others

Under no circumstances should you share your password to anybody. This includes coworkers, friends, and certainly not to people who ask for it via an unsolicited email. It’s also a bad idea to write down your password on a sticky note or on a document in your computer.  

5. Enable multifactor authentication

While a strong password can prevent cyberattacks, you shouldn’t solely rely on them to protect your accounts. If hackers manage to crack your password or trick you into sharing it, they’ll have complete access to your data. However, by adding more identity verification steps in the login process, you can make hackers’ lives much more difficult.

Multifactor authentication (MFA) requests for more than one set of login credentials before users can access their account. Other types of login credentials include facial recognition, fingerprint scans, and temporary codes generated by an authenticator app. With MFA enabled, hackers won’t be able to infiltrate your accounts unless they have access to your password, biometric data, or device.


Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.