TORONTO -- Yes it’s 2020, but some people still use codes and words like "123456" and "password" for their online accounts.

Basic passwords that take less than a second to crack remain incredibly popular, according to an annual survey released by password manager software NordPass, which analyzed a database of nearly 275.7 million passwords.

The most popular one, used by more than 2.5 million users, was "123456." Other variations that extend or shorten the same sequence make up half of the top 10 most common passwords of the year, according to the survey, almost all of which would take less than a second to crack and have been breached millions of times. "123456" has been breached more than 23.5 million times.

NordPass's survey of the 200 most common passwords, compiled in partnership with a third-party company that specialized in data breach research, found that among the millions of passwords it evaluated, some 152.8 million passwords were incredibly easy to crack and shared by tens of thousands of other accounts. Less than 122.9 million were considered unique.

"Picture1," used by more than 371,600 accounts, was a rare new entry at number three. Just behind it was “password” with more than 360,400 users. Other easy-to-guess passcodes in the top 20 include: "qwerty," "1234," "iloveyou" and "password1."

But also making the list of common passwords were combinations like "aaron431," "zxcvbnm" -- look at the bottom sequence of letters on your keyboard -- and "x4ivygA51F." "Ashley" was one of the most common name-based passwords, shared with more than 52,000 other users.

While most passwords on the list could be cracked in under a second, a few would take a few days; "jobandtalent" would take three years to crack, according to NordPass.

NordPass cybersecurity expert Chad Hammond suggested changing your password if it appears on the top 200 list.

The password manager company said that despite reminders from cybersecurity experts, it was clear that not only are people still using rudimentary passwords, they are not changing them either. Of the top 200 most common passwords for 2020, only 78 were new to the list from 2019.

Hammond warned that a weak password can be used for "credential stuffing attacks," where the breached logins are used to gain unauthorized access to user accounts.

"If you fall victim to a credential stuffing attack, you might lose your Facebook or another important account with all its content. Also, your email address could be used for phishing attacks or for scamming your family and friends, who may very well fall for it, as the email will supposedly be coming from you," Hammond said in a statement.

Suggestions for beefing up your password include:

  • use complex, long and unique passwords
  • store them in a password manager
  • use two-factor authentication when possible
  • delete old, unused accounts and check active ones regularly for suspicious activity