Security awareness

Worst passwords of the decade: A historical analysis

Christine McKenzie
March 15, 2021 by
Christine McKenzie

Cybersecurity breaches are on the rise, so it’s perplexing that so many people continue to use the same basic passwords. Perhaps it’s the exhaustion of having to remember dozens of unique passwords? Whatever the reason, using a “bad” password won’t keep the bad guys out. 

In an effort to raise awareness about the dangers of poor account security, password manager NordPass released an exhaustive list of the 100 worst passwords of the year. Curious cybersecurity minds might also be wondering, “exactly how much has password security changed in the last 10 years?” We’ve got an answer for you! 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

What’s a “bad” password? 

So, what makes a password bad? There are a couple of things that cybersecurity experts recommend avoiding when creating a password: 

  • Passwords that are easily guessable, like “password,” “user” or your username
  • Passwords based on words found in the dictionary 
  • Passwords made from adjacent keyboard combinations, like “123456,” “qwerty” or “asdfghj” 
  • Passwords that are less than eight characters in length (short passwords are way easier to crack via brute force methods) 
  • Passwords that have been re-used across multiple sites 

Now that we have an idea of what constitutes a weak password, let’s jump into those lists of the worst passwords from the past decade. 

Worst passwords of 2020

The year 2020 is in the rearview mirror, but just like a bad dream, some of the worst passwords of the year are lingering at the dawn of this new decade. And thanks to password management tool NordPass, we can ogle the worst of the bunch and try not to cringe inwardly if we recognize any of them from our own password rolodexes. 

Here are the top 20 worst passwords of 2020 (if you’d like to view all 100, check out the NordPass list): 

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678
  6. 111111
  7. 123123
  8. 12345
  9. 1234567890
  10. Senha
  11. 1234567
  12. qwerty
  13. abc123
  14. Million2
  15. 000000
  16. 1234
  17. iloveyou
  18. aaron431
  19. password1
  20. qqww1122

Notice any patterns? Lots of these passwords are based on adjacent keyword sequences like “1234567” and “qwerty.” Others are obvious (“password”) or dictionary words (“million” and “picture”). None contain special characters, and most are shorter than the recommended 10 character minimum. In fact, many of the items on this password list would take a hacker less than one second to crack. That means in less time than it takes for you to read this sentence, someone would have broken into your account. Yikes! 

So, how do 2020’s worst passwords stack up against the worst of 2011? 

Time capsule: Worst passwords of 2011

Let’s step back in time for a moment. A lot has happened in the world since 2011 — especially in the world of cybersecurity. In the last decade, major organizations like Target, Equifax and the Democratic National Convention (DNC) have lost millions of log-in credentials and billions of pieces of sensitive user-data including names, social security numbers, credit card numbers, and private email conversations. We’ve also seen a dramatic rise in the number of reported data breaches. While in 2010 just over 660 breaches were recorded, that number rose to 1,500 in 2019. 

In light of that, we should expect today’s passwords to be much stronger than they were a decade ago, right? Not so fast. Take a look at the worst password list of 2011, according to a report by SplashData

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. Football

What changed? 

If you’re asking yourself that question, you may be surprised to learn that the decade’s most common passwords haven’t changed as much as you might have expected. In fact, the lists share more than one overlap, although ranks have shifted around a bit. 

  • The password “Password” went from #1 in 2011 to #4 in 2020, and “123456” rose in the ranks from #2 in 2011 to #1 in 2020. The ever-popular “qwerty” has dropped from #4 in 2011 to #12.
  • Random names are still a thing in 2020, but different names — while Ashley (#16), Bailey (#17), and Michael (#24) reigned supreme in 2011, they’ve given up the crown to Aaron (#18) in 2020.
  • In general, 2020 passwords appear to utilize more number and letter sequences, whereas in 2011, names and dictionary words (football, superman, dragon, sunshine) were more popular. 

What stayed the same?

A handful of the passwords that gained notoriety in 2011 are stubbornly clinging to the password list in 2020. These include 111111, 123456, 123123, password and qwerty. Despite having a decade to take them out of rotation, many users opted to keep using these common passwords. Why? The answer most likely lies with a phenomenon called password fatigue

In a nutshell, password fatigue describes the frustration and exhaustion of having to memorize dozens of different passwords for a whole range of accounts, from email clients to banking apps. One of the side effects of password fatigue is that people, understandably, get lazy. They reuse the same common passwords over and over again. They fall back on the same basic, easy-to-remember passwords like “password.” While that alleviates the daily frustration of password fatigue, it leaves accounts wide-open to attackers. 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Future of passwords

Passwords have been a staple of account security for years, but some cybersecurity experts are looking ahead to a passwordless future. Password fatigue is real, and hackers are getting better at guessing, cracking and stealing passwords. In the coming years, we may see passwords replaced by newer, sleeker passwordless systems like Web Authentication and Client to Authenticator Protocol (CTAP). But in the meantime, it’s recommended that you stick to password best practices when securing your accounts.

Was your password on the list? If it was, don’t be embarrassed — you’re obviously not alone! Instead, take this as a wake-up call that your password isn’t actually as secure as you once thought it was. Take this opportunity to update your passwords to something harder to crack, or better yet, invest in a password manager like LastPass or Dashlane. Make 2021 the year you kiss your old password goodbye, and ring in the new decade with safety, security and peace of mind.


Christine McKenzie
Christine McKenzie

Christine McKenzie is a professional writer with a Master of Science in International Relations. She enjoys writing about career and professional development topics in the Information Security discipline. She has also produced academic research about the influence of disruptive Information and Communication Technologies on human rights in China. Previously, she was a university Career Advisor where she worked extensively with students in the Information Technology and Computer Programming fields.