Are You (and your password) on The Naughty List?

Category: Security

It's for your own good, I promise... please see this list of the worst 200 passwords of 2021, and I hope none of yours is found there. If so, you and your password will be on every hacker's “naughty list” and you'll get digital coal in your stocking. Find out if your password is on the naughty list, and what you can do about it. Read on...

The Most Popular (and WORST) Passwords

NordPass's list of the 200 Worst Passwords of 2021 is an interesting read, which shows not only the most commonly used (and therefore insecure) passwords, but also how their rankings changed from year to year. The list also shows how much time it would take for a hacker with easily available tools to guess each of them. (The majority of them can be guessed in under a second.)

They also offer some tips on how to create stronger passwords. The list comes from NordPass, and was compiled with the assistance of cybersecurity researchers. NordPass specializes in analyzing data breaches, so they're not revealing anything the bad guys don’t already know.

It’s very likely that all 200 of the Worst Passwords are among the first ones tried in simple "password spraying" attacks, where a hacker throws common passwords at a target until one of them works. These are easy pickings; if you use any of these passwords, you are far more likely to get hacked. A quick glance at the list will show why some passwords are particularly fool-hardy. Topping the list is 123456. Also in the top ten are 12345, 123456789, 111111 and 123123.

worst passwords of 2020

New this year is a breakdown of the naughty list passwords by country and gender. Unsurprisingly, it shows that "123456" tops the list regardless of gender or geography. But "liverpool" is in the top three for men in the UK, while "charlie" sits in that spot for women in the UK. French women prefer "doudou", "loulou" and "chouchou", while the men prefer "marseille" and "azerty". That last one results from the fact that "azerty" is the top row of the French keyboard, instead of "qwerty" for English speakers.

These and similar passwords epitomize the first two “don’ts” of password selection: don’t use an obvious word, or a simple pattern of keystrokes. Popular examples include qwerty, iloveyou, and (drumroll, please…) “password”.

Longer combinations of letters and symbols like “Password1” or “qwerty123” don’t make strong passwords, although many sites will tell you they are strong. The pattern or root word is too obvious. It's also a bad idea to reuse passwords across multiple online accounts. If one is breached, all are exposed.

The "fun facts" section of the report includes such tidbits as "people love using their own name as a password," men use swear words as passwords more often than women, "iloveyou" is used more often by women, and in the battle of the bands, men chose Metallica (88,543) more often than Slipknot (75,204).

You might chuckle at some of these ill-considered passwords, and wonder why you should care if "stupid people" have easily hacked online accounts. Here's why:

The people who use these lame passwords are not just harmless idiots. They are serious threats to the security of the entire Internet. Any compromised, connected computer or online account can and will be used to spread spam, malware, and other mischief to thousands of others. It’s tempting to think of the idiots’ own suffering (ID theft, financial fraud, data loss, etc.) as karma. But instead, let's take pity and share some information about how to avoid those perils.

Use a Password Manager to Generate, Save and Recall Your Login Credentials

A commonly recommended best practice for password management is to use unique passwords for each account, at least 12 characters in length. Many websites impose a mix of upper and lower-case letters, numbers, and symbols to lower the risk of getting your passwords guessed or cracked. But unless you have perfect recall, following these guidelines is difficult.

However, there is absolutely no excuse for weak passwords anymore. Not surprisingly, Nordpass offers a free password manager called NordPass which will generate, store, and recall strong passwords for you. NordPass automatically enters your login details when signing into your favorite websites.

Other password manager software such as Roboform, Lastpass, KeePass, and Dashlane take the work out of creating and using long, strong passwords. Most of them provide a way to sync your passwords across multiple devices. Dashlane even has a feature that will change the passwords on multiple sites with just a few keystrokes; it’s good practice to change passwords on a regular basis.

Google Chrome also has a built-in password manager. When registering at a new site, Chrome can suggest a long, strong password. One click, and it is applied to your new account. If the sync feature is turned on in Chrome, your passwords are saved to your Google Account. Otherwise, your passwords are only stored on Chrome on your computer. Chrome will alert you if you use a password and username combination known to be compromised in a data breach. You can learn more about Google password management here.

NordPass, Roboform, Dashlane, Lastpass and Chrome can all store your passwords in the cloud, with strong encryption, to enable access to your saved credentials from any computer or mobile device. If you recoil at the thought of storing all your passwords in cloud storage, consider KeePass. Unlike purely cloud-based password managers, KeePass will store your encrypted password vault where you tell it to. That could be on a local hard drive, a USB flash drive, or even in the cloud if you need to sync across desktop and mobile. Keepass is free, but not as user friendly and full-featured as the paid options I listed above.

Every now and then, you should review your saved passwords to see if there are any online accounts you no longer use. Go to the site(s) and delete or close such inactive accounts. The fewer opportunities to hack you, the better.

How do you handle passwords? Don’t give away any family secrets, but I would like to know in general how you create and manage your passwords; feel free to share ideas in the comments below.

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 29 Nov 2021

For Fun: Buy Bob a Snickers.

Prev Article:
SEVEN Tips and Tools For Online Shoppers

The Top Twenty
Next Article:
Here's How to Spot A Fake Product Review

Most recent comments on "Are You (and your password) on The Naughty List?"

Posted by:

29 Nov 2021

I have used KEEPASS for many years. I only have to remember one password. However, I also have used the first letters of one of my favorite songs. For instance: Mary Had A Little Lamb becomes MHALL. Adding a number such as the date I was married and reversing it becomes: MHALL025221. I can remember it easily.

Posted by:

William Hockberger
29 Nov 2021

Hi Bob, thanks for all you do!

I think many people would like to know which online services for paying for things are safe to use and also keep your private info confidential. Maybe there are online banks that qualify too?

Thank much!

Posted by:

Paul S
29 Nov 2021

Been using KeePass for many years and store the encrypted database in the cloud. I use it routinely to generate strong (100+ entropy) passwords. I have configured it to load username & password for a few frequently visited web sites using a particular, configurable, keypress combination. For one in particular I have it use a different browser than my default. I also use it in combination with Veracrypt. It's UI may not be a slick as some of the others but it does all that I need. One needs to read the documentation carefully, paying attention to examples.

Posted by:

29 Nov 2021

Keepass for years — unique generated pw for each account (took me about 1/2-hr years ago) — never knowingly hacked and I can logon anywhere in seconds...

Posted by:

29 Nov 2021

Thanks Bob. Interesting as always.

How do these password managers work with 2 factor authorization on a USB drive, especially asking about keepass on a presumably different USB drive?

Posted by:

Robert A Kinsler
29 Nov 2021

Any one for some of those algebra equations? Great way to confuse a lot of folks.

Posted by:

J Stuart Wells
29 Nov 2021

I have used Dashlane for years and like it although I have seen a few quirks that I don't understand. When I first signed in online to see Snopes, Dashland would fill in my email address. Now it no longer does that and I don't understand why. I do use the generated pws as a general rule. My wife also uses it and we share it. Once in a great while that causes a bit of struggle.

Posted by:

Robert A.
29 Nov 2021

The symbols above the numeral keys can be substituted for letters in words.

For example:
!=i or l
&=the word "and'

Posted by:

Paul S
29 Nov 2021

Lucy: Start with an internet search "KeePass 2FA". I don't personally use it but information is available with a bit of looking. Also look on Reddit perhaps for something different. Apparently some have put database on one USB stick and the key file on a different one. Not sure if that is what you want.

Posted by:

Brian B
29 Nov 2021

Firstly, I use Eset Internet Security alongside Malwarebytes Pro which do a pretty good job of keeping these attacks at bay in the first place. Secondly, I use LastPass with 13 digit full combination of keys, which I believe takes 1 million years to crack ( Next I use 2FA wherever I can and then limit failed logins to 5.

Not totally perfect I know, but I'm always looking how to improve.

Posted by:

29 Nov 2021

KeePass....since I don't know when,
not for folks that need hand holding.

Posted by:

Noel Rodrigue
30 Nov 2021

Interesting article, as usual. Here's a question that popped up as I was reading your text: If I use let's say Chrome and Firefox, and I let them generate the password for a given site, will the other browser be able to access the site? Will it 'know' the correct password?

I'm thinking that if I used any of the other software (NordPass, Roboform, etc.) and tied them to both browsers I would be OK.

Posted by:

Ernest N. Wilcox Jr.
30 Nov 2021

I have been using LastPass (the free version) here for several years. I dual-boot Windows 10/11 with GNU/Linux on my desktop and both of my laptops. LastPass stores my passwords in the cloud with excellent encryption, so as far as I know, they are safe (or as safe as possible).

Two times a year (January 1, and July 1, I look through my LastPass Vault to weed out any old, no-longer-used accounts. When I find one that I no longer want (or use for whatever reason), I launch the website and attempt to remove my account there. Oten, there is no "remove my account" (or equivalent) option, in which case I send an email to the webmaster (usually webmaster@[website domain]) requesting directions to remove my account. If I don't get a response within a week, I go back to the site and edit my account profile, changing any information that may be able to identify me (name, email, etc.) to known non-existent data (e.g.: I use a now-defunct email address from an ISP I once used (but I add the number 2 to the end of the username (preceding the '@' symbol). I often use 'Ferd Berferd' or 'Mickey Mouse' (or something equally ridiculous) for the name on the account. Then after I finish modifying the information on the account, I remove the entry from my LastPass Vault.

I have a fairly nice phone, but I do not use it to surf the web much (I prefer the luxury of the much larger screens attached to my desktop and laptops, so LastPass works fine for me here. I use the default 12-character password generation in LastPass along with 2FA on any websites that support it. This is the one area where I use my phone, because I use the Microsoft Authenticator App for 2FA (I figure that Microsoft already has access to all my information anyway, so why spread my personal data across multiple service providers. If I ever stop using Windows, I'll change to LastPass's Authenticator App (as long as it remains free).

I tried out the Open Source BitWarden password manager when LastPass changed their free option to support only my PCs or my phone (not both), but I didn't like working with it. Launching websites felt a lot more cumbersome than when using LastPass, so I stayed with LastPass on my PCs, and that's O.K. since I don't use my phone to surf the Web anyway.

I have never heard of NordPass until now. I may check it out too.



Posted by:

Peter Oh
30 Nov 2021

I cannot recommend Last Pass.
Almost every conceivable difficulty presents.
Worst is the frequent failure to record a new site password.
Other issues too numerous to mention!

Posted by:

30 Nov 2021

Used Keepass for many years with the encrypted password database store in the cloud, then Dropbox restricted the number of devices it would sync for free and so I switched to BitWarden - very happy with it - highly recommend.

Posted by:

Kenny D
01 Dec 2021

I use Enpass and Bitwarden with my browsers. One is a backup to the other.

Posted by:

12 Sep 2023

I used KeePass for awhile, but after getting locked out twice due to database issues, I'm sorry I had to leave that open source software.

I'm using Proton Pass right now -- from the makers of Proton Mail/VPN/database. It's only been a few weeks but working alright. I love the ProtonMail and VPN.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Are You (and your password) on The Naughty List? (Posted: 29 Nov 2021)
Copyright © 2005 - Bob Rankin - All Rights Reserved