The Top Ten Most Common Passwords of 2020

As we approach the end of the calendar year, NordPass has released their list of the 200 most common passwords of 2020.

While there are a number of the usual suspects listed, senha (Portuguese for password) and picture1 were new entries on the list, and 2019’s worst password, 12345, came in 8th this year. You can also sort by password categories including names, numbers, swear words and entertainment. The entertainment list was especially interesting, showing that superman, pokemon, naruto and blink182 were quite popular in 2020.

2020’s Top 10 Common Passwords

  1. 123456 – 2.5M+ users
  2. 123456789 – 960K+ users
  3. picture1 – 371K+ users
  4. password – 360K+ users
  5. 12345678 – 322K+ users
  6. 111111 – 230K+ users
  7. 123123 – 189K+ users
  8. 12345 – 188K+ users
  9. 1234567890 – 171K+ users
  10. senha – 167K+ users

The full list is available here and shares the risers/fallers, how many times the password was exposed and used, and how much time it would take to crack it. So what can you do to strengthen your credentials for the New Year? Senior Cybersecurity Analyst Stephen Bish recently shared password security tips in this short video:


In addition, our cybersecurity team has shared best practices for creating secure passwords and password management below.

Avoid Bad Passwords

The first step is simple: stop using passwords that can be commonly guessed, including sports teams, regional terms, company names, seasons or variations of the word password (i.e. [email protected]). While these are not as egregious as the ones listed in the top ten list, they are just as susceptible and easy to guess for many threat actors. And if you saw your password in this article or on the full list, change it immediately.

Create Passphrases

Look beyond password criteria such as length, numbers and special characters. Think about something unique to you that only you would know. We like to say think about passwords as passphrases. Put together random words from a personal story or memory. If you string along several small words, this helps to increase password complexity and should meet most length requirements. Remember, a secure password isn’t secure just because it meets a site’s requirements. It’s secure if it’s something only you would know.

Password Manager Solutions

We know how hard it can be to remember all of your passwords, especially with the vast amount of unique requirements from different sites. One option is to use password management software, which essentially acts as a master lock for all of your passwords. Password managers not only add a layer of convenience to password security, but many help you create strong passwords with stringent requirements. Many password management software providers, such as LastPass and 1Password, offer options for personal and enterprise security needs.

P.S. – writing passwords on paper is not a password management solution…

Use Different Passwords

If you are not using a password manager, having unique passwords for accounts is an absolute must. One of the first things threat actors do when stealing passwords is see where else it works. Known as credential stuffing, attackers will see how many accounts they can compromise with stolen credentials to increase their earning potential. Take a moment to think about how many accounts you have the same password and username/email address protecting and chances are you can see the potential damage of having one password.

Update Security Questions

Security questions are a common part of account protection at this point, but with the growing world of digital footprint left through social media and search engines, can be easy targets for threat actors. Think about some of the most common questions asked and where the answers can be found:

  • Birthday – Social media, public records
  • Where did you and your spouse meet – Social media, wedding registry sites
  • What high school did you go to – Social media, public record, alumni associations
  • What was your first job – Social media, professional biographies

Pretty concerning, right? Remember to treat the answers to these questions as you would a password and update them frequently.

Multi-Factor Authentication

With the reality that passwords will get compromised, implementing supporting authentication controls is an important step in all security programs. Since moving to remote accommodations, many of us are used to multi-factor authentication through mobile apps, texts or receivers, which require you to enter your password to receive a temporary code to login. 

Monitor Breaches

Just because somebody has your credentials doesn’t mean they use them immediately. In many cases, data breaches occur and account owners are notified through email months later. Major companies including Capital One, Yahoo, Equifax and Intel are just a few of the major companies who experienced breaches over the last year resulting in personal data theft.

So what happens if you find out you are part of a data breach? Hopefully you are implementing password best practices outlined in this article, but if not, change your password immediately on other sites that are using the same one or a variation of the compromised credentials. We also recommend using a rapid breach alert service such as, which sends you an email alert if they find your email address tied to any breaches as they become known.

Remember, the New Year marks an opportunity to remind your end users of the importance of password security to keep both their personal information and your organization secure against the growing threat landscape of today and tomorrow.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit or contact the team at [email protected].

If you suspect or are experiencing a network incident, our Incident Response Team is available 24x7x365 at 1-800-993-8937.

Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
How To Scope a SOC 2 Audit
Do I Need a SOC 2 Type 1 Before a SOC 2 Type 2?
Why Do CPA Firms Perform SOC 2 Audits?
What Financial Institutions Need to Know About R-SAT
Fact or Fiction: SOC 2
Cybersecurity BY Gary Muggli
NIST Introduces NISTIR 8374 to Tackle Ransomware Risk Management
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.