top of page
  • Admin

We're Still Creating No Good, Very Bad Passwords; Time To Up Our Game

Published: November 07, 2021 on our newsletter Security Fraud News & Alerts Newsletter.

Yep, we’re still doing it. What’s that, you ask? Unfortunately, the collective “we” are still creating as Alexander may say, terrible, horrible, no good, very bad passwords. At the beginning of each year, there are lists of the worst passwords used the previous year. As if 2020 didn’t bring enough chaos and disappointment, our password choices also left a lot to be desired. So, let’s revisit those and toss in a few reminders about how to create good ones.

This list is courtesy of NordPass, a password manager, starting with number 20 and getting to the big finish with the top worst one. Though seriously, they are all competing for that spot.

20. qqww1122 19. password1 18. aaron431 17. iloveyou 16. 1234 15. 0 14. Million2 13. abc123 12. qwerty 11. 1234567 10. senha 9. 1234567890 8. 12345 7. 123123 6. 111111 5. 12345678 4. password 3. picture1 2. 123456789

The last one is withheld for the grand finale.

Yes, it is truly unbelievable that people are still using “password” and “iloveyou” for passwords. After all the talk of creating strong passwords, it’s still amazing that “qwerty” is still on the list.

So, let’s go over the strong password guidelines again:

  • At least 8 characters

  • Include at least one number and one special character

  • Use both capital and lower-case letters

  • Refrain from using personal information such as birthdates and driver’s license numbers

  • Avoid using actual words; use random combinations or phrases

  • Use a unique password for every single online account

We can sympathize. It’s tough to remember all of them. After all, the average user has between 120-130 online accounts to keep track of. So, create a way to recall them. For instance, create a 6-character base password and add onto it from the website name to make the minimum 8. For example, your base could be “PW18*n” and you might be visiting You could make your password “GPW18*no” using the first and last characters of the URL. If that doesn’t work for you, try writing down clues that will trigger your memory (as opposed to writing down the actual password). Another option is to use a password manager. Just remember that if your master password is breached, someone could have access to all of your passwords. So, if you’re going to do that, be sure to change your master password often. As a last resort, write them down on an old-fashioned sheet of paper and store them somewhere hidden from site, preferably in a locked drawer or cabinet and never leave it out for others to see.

So, the big reveal is here. Have any guesses for that worst of the worst for 2020? It is (drumroll, please), STILL “123456” used by 2,543,285 users and can be cracked in less than a second. At least “football” didn’t make the list this year.

Want to schedule a conversation? Please email us at

4 views0 comments


bottom of page