"We shouldn't make their lives easy," says digital minister.
PA Wire/PA Images

Tens of millions of cyber hacking victims failed to protect themselves fully because they used weak passwords like ”123456 in an attempt to protect their accounts, official analysis has revealed.

A study of the 100,000 most commonly recurring passwords that have been hacked in global cyber breaches show 23.2m people used ”123456″, while 7.7m used ”123456789″.

A further 3.8m used ”qwerty” - the first five letters on a keyboard - while 3.6m simply used the world ”password” as their password.

Digital Minister Margot James urged internet users not to make hackers’ lives “easy” by choosing weak passwords, while the National Cyber Security Centre urged people to use three random words as passwords.

The analysis by the NCSC, which is part of the GCHQ spy agency, also revealed hundreds of thousands of people used names, and their favourite Premier League football team, musician or superhero as their password.

The most popular passwords in each category were ”ashley” (432,276 users), ”liverpool″ (280,723), ”blink182″ (285,706), and ”superman” (333,139).

James said: “Cyber security is a serious issue, but there are some simple actions everyone can take to better protect against hackers.

“We shouldn’t make their lives easy so choosing a strong and separate password for your email account is a great practical step.

“Cyber breaches can cause huge financial and emotional heartache through theft or loss of data which we should all endeavour to prevent.”

Weak passwords

The top five most used passwords which were breached to access sensitive information were:

1. 123456 (23.2m)
2. 123456789 (7.7m)
3. qwerty (3.8m)
4. password (3.6m)
5. 1111111 (3.1m)


1. ashley (432,276)
2. michael (425,291)
3. daniel (368,227)
4. jessica (324,125)
5. charlie (308,939)

Premier League football teams:

1. liverpool (280,723)
2. chelsea (216,677)
3. arsenal (179,095)
4. manutd (59,440)
5. everton (46,619)

Bands and musicians:

1. blink182 (285,706)
2. 50cent (191,153)
3. eminem (167,983)
4. metallica (140,841)
5. slipknot (140,833)

Fictional characters:

1. superman (333,139)
2. naruto (242,749)
3. tigger (237,290)
4. pokemon (226,947)
5. batman (203,116)

Dr Ian Levy, NCSC’s technical director, said: “We understand that cyber security can feel daunting to a lot of people, but the National Cyber Security Centre has published lots of easily applicable advice to make you much less vulnerable.

“Password re-use is a major risk that can be avoided - nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Theresa May’s de facto deputy, David Lidington, added: “Given the growing global threat from cyber attacks, these findings underline the importance of using strong passwords at home and at work.”

The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers.

The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

Hunt said: “Making good password choices is the single biggest control consumers have over their own personal security posture.

“We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them.

“Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence.”


What's Hot