The worst passwords of 2019: Did yours make the list?

Tomas Foltyn, Security Writer at ESET
Tomas Foltyn, Security Writer at ESET.
5 years ago

Year after year, analyses show that millions of people make, to put it mildly, questionable choices when it comes to the passwords they use to protect their accounts. And fresh statistics for the year that is drawing to a close confirm that bad habits do die hard and many people willingly put themselves in the firing line of account-takeover attacks.

Drawing on an analysis of a total of 500 million passwords that were leaked in various data breaches in 2019, NordPass found that ‘12345’, ‘123456’ and ‘123456789’ reigned supreme in order of frequency. Between them, these numerical strings were used to ‘secure’ a total of 6.3 million accounts. It doesn’t get much more optimistic further down the list, however, as these three choices were followed by ‘test1’ and, the one and only, ‘password’.

Somewhat predictably, the chart is overall replete with many usual suspects among the most common passwords: think ‘asdf’, ‘qwerty’, ‘iloveyou’ and various other stalwart choices. Other supremely hackable passwords, including simple numerical strings, common names, and rows of keys, also abound. Much the same picture is painted annually by SplashData’s lists of the most-used passwords, such as last yearthe year before that, and so on.

The entire list of the 200 most popular passwords is available in NordPass’ blog post, but here’s at least the top 25. Let that sink in.

Rank Password
1 12345
2 123456
3 123456789
4 test1
5 password
6 12345678
7 zinch
8 g_czechout
9 asdf
10 qwerty
11 1234567890
12 1234567
13 Aa123456.
14 iloveyou
15 1234
16 abc123
17 111111
18 123123
19 dubsmash
20 test
21 princess
22 qwertyuiop
23 sunshine
24 BvtTest123
25 11111

Eerily familiar?

If you recognise any of the above as your own, then fixing your passwords is almost certainly one of the things that deserve a place on your laundry list of New Year’s resolutions. For starters, fixing here means not having the exact same idea as millions of other people when you’re signing up to a service and are asked to create your password.

One way to go about this is opt for a passphrase, which, if done right, is generally a tougher nut to crack as well as easier to remember. The latter is especially useful if you don’t use password management software, which, somewhat unsurprisingly, has been shown to benefit both password strength and uniqueness. Yes, that passphrase should, of course, be unique for each of your online accounts, as recycling your passwords across various services is tantamount to asking for trouble.

You may also want to watch out for password leaks. There are a number of services these days where you can check if your login credentials may have been caught up in a known breach. Some of them even offer you the option to sign up for alerts if your login information is compromised in a breach.

In fact, as ours is an era where login data are compromised by the millions, why settle for one line of defence if you can have two? At the risk of repeating ourselves, two-factor authentication is a highly valuable way to add an additional layer of security to online accounts on top of your password.

By Tomas Foltyn, Security Writer at ESET

Don't Miss

ESET Named Strategic Leader in EPR Comparative Report 2024

ESET has been rigorously tested and named a Strategic Leader in the AV-Comparatives

ESET Research discovers NGate: Android malware, which relays NFC traffic to steal victim’s cash from ATMs

ESET researchers discovered a crimeware campaign targeting clients of three Czech banks