2020 Passwords: More Dumpster Fires

I’ve discussed the need for good passwords, a strong password manager, and 2-factor authentication a lot here.

That’s because these are some of the easiest steps anyone can take to dramatically improve their online security and reduce their vulnerability to data breaches or other online hacks.

It looks like not everyone has gotten this memo, though.

2020 Top Passwords

NordPass, which is a password manager similar to LastPass, released a list of the top 200 passwords of 2020.

These passwords were collected from databreaches and compiled from a database of over 275 million passwords. While I’m not exactly sure where all these passwords came from, my best guess is that this database shares quite a bit in common with the one I covered here.

In both databases, the most common password – by far – was “123456”.

Interestingly, the NordPass database has some passwords that look strong in the top 200.

Passwords like “1q2w3e4r”, “Bangbang123”, “ohmnamah23”, “1q2w3e4r5t”, “x4ivygA51F” look relatively okay. They use numbers and letters, they are long, and they are not dictionary words.

Due to the predictability of these passwords, though, they are actually quite weak. All password-cracking software will cycle through the most common passwords when doing password-cracking attempt. Since these are common enough to make this list, they are essentially useless.

One interesting thing to note, though.

Of the passwords I mentioned in the above paragraph, “x4ivygA51F” and “ohmnamah23” would take the longest to guess. The combination of length, character variety, and randomness combine to give a “brute force” time of about 12 days. These look like they were created by some sort of password generator, but due to the fact they are not random (the “x4” password had over 18,000 occurances in this sample database) they are only giving the appearance of randomness.

The other, less random passwords have a much shorter brute-force time. 2 days (Bangbang123) and mere seconds (the two beginning with “1q”).

This is why it’s important to use randomly-generated passwords and not reuse them between sites. And it’s especially important to make sure your passwords aren’t on a list of common passwords!

2021 Password Best Practices

If you haven’t done a 2021 security audit, take an afternoon and look through your accounts, sign up for 2FA everywhere you can, get a password manager and let it create (and remember) your passwords from now on.

It will take a little bit of time up-front, but put on Netflix and get to work! This way whenever the next big data breach comes, you won’t be caught with 20 account passwords to change at once.