FFS, How Are So Many People Still Using This as Their Password?

By Holly Brockwell on at

The National Cyber Security Centre (NCSC) has finished its first UK Cyber Survey, and the results are depressing.

The organisation, which is part of GCHQ and the Department for Digital, Media and Sport (DCMS), carried out a cybersecurity poll ahead of the CYBERUK 2019 conference kicking off in Glasgow this week, and as well as information about how much people know about their online security, the results included a list of the 100,000 most common passwords for breached accounts.

These aren't just the passwords people were using on their own laptops or whatever (not that that's much better) -- they were used to "access sensitive information" from hacked accounts. Brilliant.

The password list was collated in partnership with the awesome Troy Hunt of Have I Been Pwned, an online resource for people to find out if their details have been included in any of the big data leaks (and if they haven't by now, you're pretty lucky and should probably buy a lottery ticket).

The password '123456' was the most common, having been breached an impressive 23.2 million times. Other popular choices included the names of football teams, people, bands and movie characters. Behold the things people think make an acceptable password in 2019:

We do wonder which services are allowing people passwords with so few restrictions -- it seems like everyone these days forces you to include capitals and numbers and special characters (even though that's not always helpful because people just whack an exclamation mark on the end). However, if these passwords were set a long time ago and the site hasn't forced people to change them as requirements improved, they could still be valid.

NCSC Technical Director Dr Ian Levy comments while bashing his head against the wall:

"We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

Password re-use is a major risk that can be avoided - nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.

Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password."

Troy Hunt adds:

"Making good password choices is the single biggest control consumers have over their own personal security posture.

We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them.

Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence."

In short, sort yourselves out. And your relatives and friends, too. Hell, even if it's just passive-aggressively sharing this article on Facebook and being like "wow, who'd use Liverpool as their password?" when you reckon your uncle Jimbo would probably do exactly that.

You can have a gander at the full password list here.