Online password '123456' more popular than ever and easy to crack

People are still using the most basic of internet passwords that can be easily cracked, according to a database analysis by password manager NordPass.

Maker of password manager app details worst passwords of 2020

Password manager NordPass says using simple words out of the dictionary or number combinations make passwords too easy to crack. (Brittany Spencer/CBC)

People are still using the most basic of internet passwords that can be easily cracked, according to a database analysis by password manager NordPass.

Its list of the 200 most common passwords for online accounts in 2020 was released after a review of nearly 275.7 million passwords.

Coming in first was "123456," used by 2.5 million people, after landing in second place last year. NordPass said it has been breached more than 23.5 million times.

The data shows many people stubbornly cling to using weak passwords, even though they're the worst in terms of security.

For example, the slightly shorter password "12345" was in first place last year but was still considered acceptable to more than 188,000 users to take eighth place on this year's list. Both variations of the number sequence could be cracked in less than a second.

NordPass said fewer than half of the passwords (78 of them) are new to the 2020 list.

The research shows people use simple and easy-to-remember passwords due to convenience. They also like categories, such as swear words, numbers, names and food.

Numbers and more numbers

A string of numbers beginning with "1" — with users merely adding numbers to the sequence — accounted for five of the 10 most popular, or "worst," passwords. 

Also in the top 10 was "111111," the sixth most commonly used password in the analysis, up from 17th spot last year. The number "123123" was in seventh place, up from 18th place.

As for words, a new password, "picture1" joined the list of common passwords, ending up in third place. In fourth place was "password." In the 10th spot was "senha," which is new to the list and means password in Portuguese.

The password "1234567" was next in line, followed in 12th place by the ever-popular qwerty, named for the first six letters on the keyboard starting from the left and on the top row.

The top 10 passwords could be cracked in 10 seconds or less, while "picture1" could be cracked in three hours. NordPass didn't explain how it did the analysis. CBC News has reached out to NordPass asking about its methodology.

Here are the top 15 passwords, with the full list here:

  • 123456
  • 123456789
  • picture1
  • password
  • 12345678
  • 111111
  • 123123
  • 12345
  • 1234567890
  • senha
  • 1234567
  • qwerty
  • abc123
  • Million2
  • 000000

NordPass said if you're not using a password manager, you should create a unique one for each account and make them long — don't settle for anything shorter than 12 characters, and use a mix of upper- and lowercase letters, numbers and symbols. It said you should change your passwords at least every 90 days.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?