The 'worst' passwords of 2020 unveiled — see if yours is one of them

Passwords written on colored Post-It notes and stuck to a laptop screen.
(Image credit: designer491/Shutterstock)

It's getting near the end of 2020, which means it's time for information-security companies to release their "worst passwords of the year" lists. The first contender comes from NordPass, the password-management arm of NordVPN, and some familiar entries top that list.

The most common password of 2020, declares NordPass, is the succinct "123456," with some 2.5 million instances in NordPass's sample data set. The second, trailing far behind with a mere 961,000 instances, is the somewhat more complicated "123456789." The venerable "12345", of "Spaceballs" fame, doesn't even appear until No. 8. 

Needless to say, those passwords won't protect your accounts. For real password security, you have to make sure all your valuable passwords (those protecting social-media, banking, email or shopping accounts) are long and complex, to never reuse passwords for sensitive accounts, and to use one of the best password managers.

We're not sure how seriously to take NordPass' password findings because the firm wasn't terribly transparent about its methodology. The NordPass press release said only that the list "was compiled in partnership with a third-party provider, which evaluated a database that contained 275,699,516 passwords in total." 

We've asked NordPass who that third-party provider might be, where the database came from and how old the data set is, and will update this story when we receive a reply. The fact that "myspace1" is No. 80 indicates that some samples might be rather old, and there seems to be some overlap with a "dump" earlier this year of 33.7 million passwords stolen from LiveJournal in 2014.

Anyhow, there are 200 "worst" passwords ranked by number of appearances in the data set, and you can view the list of terrible passwords on NordPass's website. Almost all the recognizable words are in English, which makes us wonder how universal the list really is. Many others are numerical strings or the result of typing adjacent keys on a QWERTY keyboard.

The top-ranking non-English word is No. 10, "senha," which one of our co-workers pointed out is Portuguese for "password." The English word "password" is No. 4. 

The most inexplicable entries are "aaron431" at No. 18, "ohmnamah23" at No. 62 (possibly a Hindu invocation) and "a801016" at No. 138. (Urban Dictionary tells us that "anhyeuem," at No. 102, is one form of "I love you" in Vietnamese.) 

At least those would be a little harder to guess, or "crack" using computer algorithms, than the rest of the "worst" 200 entries. If you know what any of them might signify, drop us a line in the comments.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.