Please fill in the form below to subscribe to our blog

These Bad Passwords Make Every Day Groundhog Day for IT Teams

February 02, 2021

Groundhog Day List of the 20 Most Common Passwords of 2020


Passwords are the bane of every IT department. No matter how much training they conduct or how many helpful reminders that they send out, users will inevitably cling to weak, reused, recycled or iterated passwords. Those bad passwords will also inevitably cause the IT department to have to mitigate unnecessary password-related cybersecurity risks – or worse, clean up after preventable, expensive password-related cybersecurity disasters.

Password insecurity is a major weakness that cybercriminals can exploit – experts estimate that more than 81% of data breaches are due to poor password security. Users know that password safety is important, but they often fail to take it seriously. In a 2020 survey, 91% of participants said that they understood the risk of password reuse but 59% admitted to doing it anyway – and 63% of them use the same password across multiple work and home applications.

They’ve got plenty of ammunition to use for their attacks. In 2020 hackers dropped more than 22 million records on the Dark Web. That’s in addition to the enormous amount of data, including password lists, that’s already available for cheap (or free) in Dark Web markets and data dumps. This data can be used to mount credential stuffing attacks ass well as other hacking-related cybercrime.

So why do users continue to make bad passwords?  The majority of staffers that are allowed to generate their own passwords will use home-brewed formulas made up of words and numbers that are personally important to them for easy recall. Most people will choose passwords that can be divided into 24 common combinations, and 49% of users will only change one letter or digit in one of their preferred their passwords when required to make a new password.


How Are Bad Passwords Born?


Based on our analysis of the top 250 passwords found on the Dark Web, the most categories of information used to generate bad passwords in 2020 were: Names, Sports, Food, Places, Animals, and Famous People/Characters. Most passwords originate from these groups – 59% of Americans use a person’s name or family birthday in their passwords, 33% include a pet’s name and 22% use their own name. Oh, and the average user reuses that bad password about 14 times! Take a look at the Worst Passwords of 2020 to find out what NOT to do.

The Most Common Passwords by Category

  • Names: maggie
  • Sports: baseball
  • Food: cookie
  • Places: Newyork
  • Animals: lemonfish
  • Famous People/Characters: Tigger

Top 20 Most Common Passwords Found on the Dark Web in 2020

  1. 123456
  2. password
  3. 12345678
  4. 12341234
  5. 1asdasdasdasd
  6. Qwerty123
  7. Password1
  8. 123456789
  9. Qwerty1
  10. :12345678secret
  11. Abc123
  12. 111111
  13. stratfor
  14. lemonfish
  15. sunshine
  16. 123123123
  17. 1234567890
  18. Password123
  19. 123123
  20. 1234567

Make Better Passwords with These Tips Based on Our Analysis of the Password Data Provided by Our 2020 Report


  • “Phil? Phil Connors?” – Don’t use your name – At least 92 of the top 250 most common passwords found on the Dark Web in 2020 were first names or variations of first names. For a stronger password try using a nonsense phrase that only you will know. (Something like Punxsutawney perhaps?)
  • “That about sums it up for me.” – Don’t be as easy as 1,2,3 – 35 of the top 250 most common passwords found on the Dark Web in 2020 included some variation of the sequential “123” – including 12 of the top 20 most common passwords. For a stronger password, use a combination of numbers, symbols, and uppercase and lowercase letters.
  • “There is something so familiar about this…” – Don’t recycle when it comes to passwords – 39% of people say most of their passwords across both their work and home applications are identical. For stronger password protection, use a different password for your various log-ins and consider a password manager or multifactor authentication.

Solve Bad Password Problems for Good with Passly


What if you never had to worry about another weak, bad, compromised, reused or recycled password again? Your IT team would love it too. We can help. Choose secure identity and access management with Passly, and your password problems will be locked away. Passly provides the top access point security mitigations recommended by experts at CISA and other major authorities – at a price you’ll love. You’ll get:

  • Multifactor Authentication (MFA) – This feature alone can stop up to 99% of cyberattacks cold. Take the power out of a compromised password by requiring another identifying token for access to systems and data, with many choices for token delivery to fit your business. Plus, MFA gives you protection against phishing attacks too, because the password that was just phished from one of your staffers isn’t going to let cybercriminals in either.
  • Single Sign-On LaunchPads (SSO) – Give each user their own, personalized launchpad that leads them to everything that they need. When your staffers only need to remember one password to access all of the applications that they use every day, they’re happy. When your IT teams only have to manage permissions and access point security through a limited number of defensible points, they’re happy too.
  • Simple, Cost-Effective Remote Workforce Provisioning – Passly gives your IT team everything that they need to for secure identity and access management in office and remotely. Seamless integration with more than 1,000 business applications and secure shared password vaults for team access makes adjusting permissions a snap. Plus, your team can act quickly to isolate a compromised account in case of trouble.

Protection from cybercrime danger is easy when you deploy your secret weapon: security-savvy employees! WATCH WEBINAR>>


Don’t Keep Reliving the Same Password Problems


In 2020, the combination of a global pandemic, economic uncertainty, and a whole world full of new remote workers created a solid payday for cybercriminals, resulting in an 85% overall increase in all categories of cybercrime for the year. By adding secure identity and access management with Passly, you’re adding a strong layer of protection between password-related cybercrime and your business without breaking the bank.

Contact the experts at ID Agent to learn more about Passly or see a video of Passly in action now!



let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

LEARN MORE>>


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>


Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!

SCHEDULE IT NOW>>