An analysis of the 100,000 most-commonly re-occurring breached passwords confirms that ‘123456’ is the undisputed king of atrocious passwords.

Using data from Have I Been Pwned (HIBP), a website that allows users to check if their email addresses or passwords have appeared in a known data breach, the United Kingdom’s National Cyber Security Centre (NCSC) has found that 23.2 million user accounts worldwide were "secured" with '123456'. Its close, and similarly poor, relative, ‘123456789’, was used 7.7 million times, leaving the door just as wide open for cybercriminals. Other stalwarts among the most common passwords – ‘qwerty’, ‘password’ and ‘1111111’ – rounded out the top five.

And perhaps just as unsurprisingly, many of the most-hacked passwords were made up of names, soccer teams, musicians, and fictional characters. Some of the most popular choices each appeared in hundreds of thousands of passwords.

Source: NCSC

The NCSC made available the entire list of the 100,000 most commonly re-occurring passwords for breached user accounts. Overall, the NCSC’s findings may well bring echoes of other analyses of the most commonly re-occurring passwords. As we also reported late in 2018 and 12 months earlier, studies conducted annually by password security company SplashData produced very similar results.

At any rate, if any of your passwords appears on the NCSC’s list, you would be very well advised to change it post-haste, and perhaps use some of our guidance for picking passwords or passphrases that are both strong and unique. You can also use our how-to guide to check on HIBP if any of your online accounts may have been the victim of a known breach.

Setting up multi-factor authentication wherever possible will add an extra layer of security in exchange for very little effort.

Attitudes

Alongside the password risk list, the NCSC also published the results of its first ‘UK Cyber Survey’, which sought to find more about people’s awareness of, and attitudes towards, cybersecurity.

The survey, which gathered input from more than 2,500 people in the UK between November 2018 and January of this year, found that only 15% say they know “a great deal” about how to protect themselves from harmful cyber-activity. Most (68%) said that they know “a fair amount”.

More than two-thirds of the respondents believe that they will likely fall victim to at least one type of cybercrime over the next two years. The most prevalent concern was money being stolen, as 42% fear that this is likely to happen by 2021.

In order to learn more about the concerns of the US public about cybercrime, you may want to read our recent blog post about the ESET Cybersecurity Barometer. We have also published a parallel report for Canada.