These are the Top 25 Worst Passwords that People Used in 2019

Last updated December 14, 2019
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Researchers from the NordPass password manager have listed the 200 most used passwords in 2019, and the situation looks like a repeat of the previous year, and the year before that, and the one leading up to it, and the one anterior to that, and the story goes. As you can easily deduce, the top most used passwords are the same that we see topping the “worst passwords” lists, a practice which leads to super-easy account takeovers. Yet, no matter how many years pass by, and no matter how hard the media try to spread the word of warning, most people are still using the same insecure passphrases.

So here it goes. The top 25 most used passwords for 2019 were the following:

  1. 12345
  2. 123456
  3. 123456789
  4. test1
  5. password
  6. 12345678
  7. zinch
  8. g_czechout
  9. asdf
  10. qwerty
  11. 1234567890
  12. 1234567
  13. Aa123456.
  14. iloveyou
  15. 1234
  16. abc123
  17. 111111
  18. 123123
  19. dubsmash
  20. test
  21. princess
  22. qwertyuiop
  23. sunshine
  24. BvtTest123
  25. 11111

NordPass used a database of 500 million passwords to compile this list, so each entry above corresponds to hundreds of thousands. The passphrase “password” for example was used by 830846 people out of the 500 million in the pool. So, why do people insist on using easy to remember and easy to guess passwords? Possibly, they think that they have nothing valuable to hide anyway, or they reckon that no hackers would be interested in taking over their social media accounts for example.

Whatever their assumptions are, they are all wrong. We should treat our online presence with the respect that it deserves, using unique and strong passwords in every platform that we access/use, otherwise we will face the consequences sooner or later. Scammers, phishing actors, extortionists, and all kinds of crooks can trick you into giving them money whether you have something to hide or not. Moreover, lists like the one seen here are used in brute-forcing malware, hardcoded inside these tools to automate the account takeover process.

Our advice is to use a password manager that will absolve you from having to remember any passwords, check your emails on haveibeenpwned periodically, and activate two-factor authentication wherever it is available. Finally, never use the same password twice, not even if it’s a strong one. If that password leaks through a website breach that you may never get to learn about, your entire online presence will be compromised. This is what happens with stuffing attacks, which have gotten so popular lately for a reason.

Do you have anything to comment on the above? Feel free to share your thoughts with us in the comments section beneath, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: