"123456" remains the most common password which digital criminals abuse to steal unsuspecting users' sensitive information.
On 21 April, the United Kingdom's National Cyber Security Centre (NCSC) partnered with security researcher Troy Hunt to publish the top 100,000 passwords from Hunt's Pwned Password
service. Here are the top 20 passwords from this list
Overall, Pwned Passwords uncovered "123456" a whopping 23.2 million times across the breached data records it analyzed. This frequency dwarfed the second most-breached password, "123456789," at 7.7 million instances. It also had nearly 20 million more occurrences than "qwerty," the third most-compromised secret.
The NCSC isn't the first entity to release a list of the most frequently breached passwords. In 2016
, for instance, SplashData released its own "Worst Passwords of the Year" list. Both of those publications found that "123456" topped all other combinations. They did differ from the NCSC's resource, however, in that they found "password" to be the second most commonly exposed secret.
Dr. Ian Levy, NCSC Technical Director, feels that the list based on Pwned Passwords' data highlights the risk of reusing passwords across multiple web accounts. That risk rises exponentially, he notes, when those secrets are easily guessable like "123456." As he explains in a blog post
We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable. Password re-use is a major risk that can be avoided - nobody should protect sensitive data with somethisng[sic] that can be guessed, like their first name, local football team or favourite band.
Acknowledging the threats of account takeover and data theft, users should leverage password hygiene best practices
to protect each of their web accounts with a strong, unique combination. These passwords could be difficult to remember, however, which is why they should consider using a password manager
for assistance. Additionally, users should look to implement multi-factor authentication
(MFA) wherever and whenever it's available.