CyberTech

Level 21
Verified
In today’s digital age where most consumers know their modems from their motherboards, one might imagine that the quality of people’s passwords has improved. But a recent study shows that isn’t the case, with terrible, easy-to-guess passwords still being used by millions.

The report by the UK's National Cyber Security Centre (NCSC) analyzed passwords found in public databases of breached accounts to find out popular words, phrases, and strings. It appears that the worst password of 2018—123456—remains the most popular, appearing in more than 23 million passwords.

The second-most popular string was the equally bad 123456789, while the other top five entries include "qwerty," "password," and 1111111.

People’s names are still commonly used as passwords, the most popular being Ashley, followed by Michael, Daniel, Jessica and Charlie. And when it comes to using band names, Blink182 is the most common, followed by 50cent. Superman, meanwhile, is the most popular fictional character name used as a password.





The report was put together in collaboration with Troy Hunt, the Australian security researcher responsible for the Have I Been Pwned website, which reveals if your email addresses or passwords appear in data breaches.

Most users know that it’s inadvisable to reuse the same credentials across multiple websites—even Mark Zuckerberg is thought to have been guilty of this practice in the past. Remembering multiple passwords isn’t easy, of course, so the best solution is to use a password manager such as LastPass. It’s also advisable to enable two-factor authentication wherever possible, but the most important thing is to not use terrible passwords.

“Making good password choices is the single biggest control consumers have over their own personal security posture. We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them,” said Hunt.

“Recognizing the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence.”
 

mlnevese

Level 15
Verified
@Burrito you should use Password with a capital P. Nobody will ever guess that one... :)

On a more serious note, that clearly shows the general ignorance of how security works and the danger you're exposing yourself to when using such obvious passwords. Now if a person understands the danger and still uses passwords like this the I have to doubt their sanity.
 
Last edited:

IkariGradius

Level 1
Every time i read an article like this, i'm baffled as to how is this possible ? Most websites have password requirements such as minimum length, use a mix of letters, numbers and sometimes special characters. Many OS and device have requirements as well.
 

Local Host

Level 15
Verified
They should start using 654321.
Every time i read an article like this, i'm baffled as to how is this possible ? Most websites have password requirements such as minimum length, use a mix of letters, numbers and sometimes special characters. Many OS and device have requirements as well.
I remember back in 2004 when a website forced me to have a 6 digit password with letters and numbers, my password for that website was 11111a. I believe most people are like that, nowadays I obviously use more complex passwords (in fact I use a password manager).

Simple passwords like that will get your account stolen with ease, in brute force attacks.
 

mlnevese

Level 15
Verified
They should start using 654321.

I remember back in 2004 when a website forced me to have a 6 digit password with letters and numbers, my password for that website was 11111a. I believe most people are like that, nowadays I obviously use more complex passwords (in fact I use a password manager).

Simple passwords like that will get your account stolen with ease, in brute force attacks.
Not even a brute force attack. 12345, abcde, password, a1b2c3d4e5 are often the first passwords a hacker will try as they are the most common.
 

TairikuOkami

Level 22
Content Creator
Verified
I am not surprised, since you need to create an account like on every second webpage, just to download a recipe or whatever.

Some have a strange approach, paypal: max 20 characters, you can not use copy/paste while creating a password, took me 30 mins to type mine.

Then again, some make it ridiculously difficult, like Microsoft: Hey, your password is not complex enough. You can not use the password, you have used 5 years ago. No, no, you can not use your phone number nor your birthday, try it one more time. What the, why are you insulting Bill Gates? :)
 

shmu26

Level 78
Content Creator
Trusted
Verified
Some sites, I don't even care if my account is weakly protected. Let's say I log on to the HP site to ask a question about my printer that probably won't even be answered because nobody cares about supporting Linux users. Why do I need to break my head over a strong password?