The password hall of shame (and 10 tips for better password security)

Pop quiz: What has been the most popular — and therefore least secure — password every year since 2013? If you answered “password,” you’d be close. “Qwerty” is another contender for the dubious distinction, but the champion is the most basic, obvious password imaginable: “123456.”

Yes, tons of people still use “123456” as a password, according to NordPass’s 200 most common passwords of the year for 2020, which is based on analysis of passwords exposed by data breaches. The six-digit sequence has also ranked high on other lists over the years; SplashData, which has come up with lists using similar methodology, found “123456” in second place in 2011 and 2012; it then jumped up to number one where it stayed every year right through 2019.

Plenty of other epically insecure passwords continue to make the annual password hall of shame, including the aforementioned “password” (always in the top five, and No. 1 in 2011 and 2012); “qwerty” (always in the top ten); and a slightly longer variation of the reigning champ, “12345678” (always in the top six).

10 most common passwords of 2020

These are the 10 most frequently used and worst passwords of 2020, according to NordPass’s most common passwords list:

1. 123456
2. 123456789
3. picture1
4. password
5. 12345678
6. 111111
7. 123123
8. 12345
9. 1234567890
10. senha

Other worst password lists, like SplashData’s and those from the U.K.’s National Cyber Security Center are mostly consistent. Easily guessed number sequences, and “words” made up of letters immediately adjacent to one another on a standard QWERTY keyboard, are always popular; so is the phrase “iloveyou,” because we are a species of hopeless romantics. Another constant cringe-inducing winner is the word “password.” On that note, one new addition to NordPass’s list this year was “senha,” which is Portuguese for — you guessed it — “password.” This may reflect Brazil’s burgeoning population becoming more connected to the internet, though they’re apparently not any more security conscious than English speakers.

Here are the most common passwords for the past three years:

Towards better password security

Businesses are increasing the use of multi-factor authentication (MFA) and single sign-on (SSO) services to bolster security. Nonetheless, Too many employees “still have poor password hygiene that weakens the overall security posture of their company,” according to the 3^rd Annual Global Password Security Report (2019) from LogMeIn.

It’s no wonder why many employees have password fatigue, which in turn leads to lax password security. LogMeIn’s report finds that users at larger companies (1,001 to 10,000 employees) have on average 25 passwords with which to contend. The problem is more acute for users at small businesses (25 or fewer employees), who have on average 85 passwords to juggle. Employees in the media/advertising industry use the greatest number of passwords — 97 — on average, compared to 54 passwords per employee in government (the sector with the lowest average number of passwords per employee).

There are three main ways in which passwords are compromised, according to Robert O’Connor, CISO for community banktech provider Neocova and former Deputy Director of Enterprise Information Security at the CIA: guessing (by a human), cracking (by algorithmic brute force), and capturing (by gaining access to someplace where a password has been stored, whether that’s in a database or on a sticky note). Each of the following techniques attempts to mitigate against one or more of those methods; for instance, passwords with personal information in them are easier to guess, and shorter passwords are easier to crack.

Here’s what experts say are the problems with enterprise passwords and advice for improving passwords and authentication security.

Require the use of a password manager. Password management applications for business users (such as 1Password, Dashlane and LastPass) are an effective first step toward reducing security risks associated with passwords, notes Dr. David Archer, principal scientist of cryptography and multiparty computation at security research and consulting firm Galois. He recommends having enterprise users leverage password managers to generate and store lengthy passwords with all alphabet options (such as mixed-case letters) turned on. With a password manager in place, users should have only two passwords they need to remember, he adds: the password to the password manager app and the password to the computer account a user logs into every day.

Require the use of multifactor authentication (MFA). MFA factors include what you know (a password), what you have (a device, such as a smartphone), and who you are (a fingerprint or facial recognition scan). Using MFA to require verification, such as a code sent to a mobile device, in addition to the use of strong, unique passwords, can help provide better enterprise protection, says Justin Harvey, global incident response lead at Accenture Security.

Don’t let users create passwords with dictionary words. In a brute-force dictionary attack, a criminal uses software that systemically enters every word in a dictionary to figure out a password. To thwart such attacks, many experts recommend against using words that exist in a dictionary.

Length matters, and phrases are longer than words. That said, a longstanding emphasis on weird or “special” characters that aren’t found in normal words may be ignoring the bigger picture. Instead, “Length is strength,” says Tyler Moffitt, senior security analyst at Webroot. “Longer passwords are much harder to break, cryptographically speaking, than shorter ones even when special characters are involved. A password like ‘AN3wPw4u!’ is much easier for an automated cryptographic cracker than a password like ‘SnowWhiteAndTheSevenDwarves.'”

Steer users away from passwords that include information about them. Don’t use the names of a spouse, pet, city of residence, birthplace or any other personally identifiable information in a password, as that information could be deduced from the user’s social media accounts. “A hacker is much more likely to guess your ‘pet’s name + 1234’ as your password than they are to figure out that your password is ‘D2a5n6fian71eTBa2a5er,’” says Davey. Aleksandr Maklakov, CIO at MacKeeper, suggests using a longer passphrase such as  “ImgoingtorunBostonMarathon2022” that is tied to your personal goals but doesn’t include easily researched personal info.

Educate users on what makes a strong password. A strong password doesn’t appear anywhere else in the public realm (such as in dictionaries), doesn’t appear anywhere in private (such as other accounts users have), and contains enough random characters that it would take an eternity to guess the password, even when using brute-force or rainbow table techniques, says Archer. Cameron Bulanda, a security engineer at Infosec, suggests a live demonstration of the password-cracking process to drive the point home. “While many of these tools could be used for malicious intent, security professionals can use them to produce a real-world example of how adding complexity to passwords protects users from attacks — especially brute force attacks,” he says.

Regularly perform password audits. Ideally, your organization should use an authentication system that allows for password audits, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC). “Look for things like password reuse across employees or use of common words or common words with simple character replacements. If you uncover a weak password, use the event as a learning opportunity for users.”

Encourage users to vet their own passwords. There are a number of resources that will allow users to investigate how safe a potential password is before they put it into use. For instance, MacKeeper’s Maklakov points to My1Login’s Password Strength Test, which tells you how long it would take a typical algorithm to crack your password, or Have I Been Pwned?, which compares your password against a wide database of hacked credentials circulating on the dark web.

Don’t villainize mistakes. Create an environment in which employees feel comfortable raising questions or concerns about security, especially if they suspect they may have slipped up, suggests 1Password’s Davey. “Don’t villainize people,” he says, because they may be afraid to tell you when they’ve made a mistake. “If you know about security issues as they arise, you can act quickly to address the initial threat and take steps to prevent it from happening in the future.”

One final note: the “traditional” password wisdom is evolving, and many pieces of advice formerly taken for granted are now considered flawed or passé. For instance, the most recent version of NIST’s password guidelines, widely considered the gold standard in this area, advises against the common practice of forcing users to reset their password regularly, as it’s burdensome to users for them to come up with multiple high-quality passwords, and many end up changing their previous passwords in predictable ways—by just swapping in dollar signs for the letter S, for instance.

NIST also recommends giving users the option to make passwords visible when they’re being entered; this makes users more likely to come up with longer and more complex passwords, which more than balances out the chance that someone nefarious might read the password over the user’s shoulder. The overall lesson is that your password policies need to evolve, just like the rest of your security program. That doesn’t mean you were doing it wrong, just that you operate in a dynamic and fast-moving industry!

Editor’s note: This article, originally published in 2020, has been updated to more accurately reflect recent trends.