• The list for the most common passwords in 2020 is out, released by cybersecurity firm NordPass. The three most common passwords of 2020 are 12345, 123456789 and picture1.  
  • Weak passwords continue to be a security issue. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches
  • To strengthen password security, consumers should change their password to a passphrase, never reuse a password (consider a password manager), use two-factor authentication when possible and never use work passwords at home (and vice versa). 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • For more information on how to upgrade your password, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our  Weekly Breach Breakdown Podcast. This week, we will look at one of the behaviors that are increasingly at the foundation of many, if not most, data compromises in 2020: weak passwords

Why Passwords are Important 

As ITRC Chief Operating Officer James Lee mentions in the podcast, like the Porter outside Macbeth’s castle, passwords are designed to allow entry to our personal and work castles. Passwords protect the devices that are home to the applications and data we use and create.  

Passwords in the 1980s and 1990s 

People have been protecting passwords since the 1980s. The first passwords were simple, and most people only needed one. Maybe the password was assigned to someone at work, so they used the same one at home; that is if there was a computer at home. People were told never to write down their password.  

Then came the internet in the mid-1990s, and suddenly there was a need for more passwords. People needed a password for their AOL or Earthlink account. Eventually, people had to add passwords to the handful of other online accounts they created. However, most people probably just used the same word or set of numbers that was their device login password. 

Passwords Today 

Fast forward to today, according to cybersecurity firm NordPass, the average person now has to manage a staggering 100 passwords, up 25 percent from 2019. The rise is due, in part, to the increase in online transactions during 2020 related to COVID-19.  

Most Common Passwords 

NordPass also publishes an annual list of the most common passwords, which also corresponds with the passwords cracked most often by professional data thieves. Here are the top 10 most common passwords of 2020 and how long it takes a cybercriminal to crack the password: 

  1. 12345 (takes less than one second to break) 
  1. 123456789 (takes less than one second to break) 
  1. picture1 (takes up to three hours to crack) 
  1. password ( takes less than one second to break) 
  1. 12345678 (takes less than one second to break) 
  1. 111111 (takes less than one second to break) 
  1. 123123 (takes less than one second to break) 
  1. 12345 (takes less than one second to break) 
  1. 1234567890 (takes less than a second to break) 
  1. Senha (the Portuguese word for password; takes 10 seconds to break) 

The Dangers of Weak Passwords 

Weak passwords allow cybercriminals to access systems and accounts easily. People use weak passwords because there are so many to remember, which also prompts people to use the same weak passwords on multiple accounts and use them at work and home. 

Here are a few statistics from earlier in 2020: 

What You Can Do to Avoid Weak Passwords 

The good news is that people can do many things to make sure they have strong passwords that will keep their accounts secure. Here are some tips: 

  • Change your password to a passphrase. Use a passphrase like a movie quote, a song lyric, or a favorite book title that is easy to remember and at least 12 characters long. It would take a cybercriminal 300 years to crack a 12-character passphrase with upper and lower case letters. If you add a number, the passphrase will last 2,000 years.  
  • Never reuse your passwords, or passphrases since you just upgraded, right? If you have too many passwords to remember, use a password manager. If you want a free solution, many browsers offer a form of a built-in password manager. Safari and Firefox are two examples. 
  • Use two-factor authentication when it’s available. An authentication app like those offered by Microsoft and Google is best. However, even the two-factor authentication version that sends a code to you by text is better than no multi-factor authentication. 
  • Never use your work password at home, or vice versa. Stolen work credentials are one way cybercriminals use to get the access they need to launch ransomware attacks against companies.  


For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC  

If you have questions about how to upgrade your password to protect your information from data breaches and exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics. If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.