Last year, when I wrote about the worst passwords of 2018, it was horrifying to discover clangers including “qwerty” and “123456” appearing in the top 20 list.
Predictably, the worst passwords tend to be the most hacked, simply because they are way too easy to crack. So it should come as no surprise that the latest bad passwords report – this time by the UK’s National Cyber Security Center (NCSC) – has similar findings.
In fact, the password that turned up the most was the same: According to the NCSC’s global breach analysis, 23.2 million of those hacked worldwide used the password “123456”.
The analysis covering the 100,000 most commonly re-occurring passwords accessed by hackers in global cyber breaches was taken from Have I Been Pwned– the site run by the highly-esteemed security expert Troy Hunt.
Most hacked passwords
Beware: this list may provoke eye rolling from infosec fiends frustrated that general folk really do need to do better. But the NCSC’s list isn’t intended to shame; the organization wants to educate the public on how easy it is to get breached – especially when you make zero effort with your passwords.
I can’t post every single breached password here simply due to space constrictions, but the top ones included the ridiculously unimaginative “password” and even “1111111” – which, frankly, is just lazy. Others included names (I assume people’s own), football teams (please), musicians and fictional characters such as Superman.
So, for your entertainment – and hopefully for some of you, education, here are the top five most used passwords. I’ve also included a sample of popular breached passwords from the rest of the list:
The 20 most used passwords
123123 (2.2 m)
Monkey (980, 209)
Top 5 names
Top 5 football teams
Top 5 musicians
Top five fictional characters
Why it matters
Breaches are getting bigger all the time: The Collection #1 breach, for example, saw more than a billion unique email addresses and passwords posted to a hacking forum for anyone to see. Last year, there were major breaches of the likes of Marriott, British Airways and Facebook, among others.
It could be argued that some firms aren’t doing enough to protect people’s data but there is one thing users can do: take control of your own security by trying to follow best practices.
What to do
It goes without saying that if you see your password on the list, you need to change it now. You can also start to follow a few simple guidelines. Passwords need to be strong, but they should also be unique across each of your different accounts.
Of course, some accounts hold more sensitive details than others – your email for example. But concerningly, less than half surveyed by the NCSC say they do not always use a strong, separate password for their main email account. The NCSC itself offers a lot of helpful advice on its site, including avoiding credential reuse and choosing strong passwords comprised of three or more random but memorable words.
If that’s tough to remember, I’d recommend a line from a book or a song – and also do not be afraid to have a physical book for your passwords. As long as you keep this separately from your devices and not in a text file on your desktop, it’s actually pretty secure.
Better still, use a password manager such as LastPass or 1Password. This creates passwords for you which remove the need to remember them. These need to be secured with a master password, which must itself be strong or hackers could access all of your credentials in one handy place.
Dr. Ian Levy, NCSC technical director, told me: “Password managers, whether an app, built into your browser or your device, can help with the burden of remembering lots of different passwords. Just remember to make your master password strong, along the lines of our guidance.”
It’s also a good idea to have a look at Troy Hunt’s site, HaveIBeenPwned. You can enter your emails and passwords here to check if they have shown up in any breaches. For those of you concerned about doing this, don’t be: It’s good to be suspicious but this site is a great tool to help ensure you are changing your passwords when you need to.