The report by the UK's National Cyber Security Centre (NCSC) analyzed passwords found in public databases of breached accounts to find out popular words, phrases, and strings. It appears that the worst password of 2018—123456—remains the most popular, appearing in more than 23 million passwords.
The second-most popular string was the equally bad 123456789, while the other top five entries include "qwerty," "password," and 1111111.
People’s names are still commonly used as passwords, the most popular being Ashley, followed by Michael, Daniel, Jessica and Charlie. And when it comes to using band names, Blink182 is the most common, followed by 50cent. Superman, meanwhile, is the most popular fictional character name used as a password.
The report was put together in collaboration with Troy Hunt, the Australian security researcher responsible for the Have I Been Pwned website, which reveals if your email addresses or passwords appear in data breaches.
Most users know that it’s inadvisable to reuse the same credentials across multiple websites—even Mark Zuckerberg is thought to have been guilty of this practice in the past. Remembering multiple passwords isn’t easy, of course, so the best solution is to use a password manager such as LastPass. It’s also advisable to enable two-factor authentication wherever possible, but the most important thing is to not use terrible passwords.
“Making good password choices is the single biggest control consumers have over their own personal security posture. We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them,” said Hunt.
“Recognizing the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence.”