Skip to content ↓ | Skip to navigation ↓

“123456” remains the most common password which digital criminals abuse to steal unsuspecting users’ sensitive information.

On 21 April, the United Kingdom’s National Cyber Security Centre (NCSC) partnered with security researcher Troy Hunt to publish the top 100,000 passwords from Hunt’s Pwned Password service. Here are the top 20 passwords from this list:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345
  11. 1234567890
  12. 123123
  13. 000000
  14. iloveyou
  15. 1234
  16. 1q2w3e4r5t
  17. qwertyuiop
  18. 123
  19. monkey
  20. dragon

Overall, Pwned Passwords uncovered “123456” a whopping 23.2 million times across the breached data records it analyzed. This frequency dwarfed the second most-breached password, “123456789,” at 7.7 million instances. It also had nearly 20 million more occurrences than “qwerty,” the third most-compromised secret.

The NCSC isn’t the first entity to release a list of the most frequently breached passwords. In 2016 and 2017, for instance, SplashData released its own “Worst Passwords of the Year” list. Both of those publications found that “123456” topped all other combinations. They did differ from the NCSC’s resource, however, in that they found “password” to be the second most commonly exposed secret.

Dr. Ian Levy, NCSC Technical Director, feels that the list based on Pwned Passwords’ data highlights the risk of reusing passwords across multiple web accounts. That risk rises exponentially, he notes, when those secrets are easily guessable like “123456.” As he explains in a blog post:

We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable. Password re-use is a major risk that can be avoided – nobody should protect sensitive data with somethisng[sic] that can be guessed, like their first name, local football team or favourite band.

Acknowledging the threats of account takeover and data theft, users should leverage password hygiene best practices to protect each of their web accounts with a strong, unique combination. These passwords could be difficult to remember, however, which is why they should consider using a password manager for assistance. Additionally, users should look to implement multi-factor authentication (MFA) wherever and whenever it’s available.