How to Build a Better Password Than ‘123456’


The U.K.’s National Cyber Security Centre offers simple advice for people and organizations for more secure options.

Passwords are the keys to our digital lives but a recent analysis by the U.K.’s National Cyber Security Centre found we’re using the same easy-to-guess ones over and over again.

NCSC and Troy Hunt, the security professional behind the breach database Have I Been Pwned, released a data set of the 100,000 most used passwords that are already easily available to potential attackers.

“Attackers commonly use lists like these when attempting to breach a perimeter, or when trying to move within a network to potentially less well defended systems,” NCSC said.

More than 23.2 million accounts could be accessed with the simple password “123456” and another 7.7 million used “123456789.” The rest of the top five is just as dumb, with “qwerty,” “password” and “1111111” each being used more than 3 million times.

The data set also shows that people are hooked on names, sports teams, fictional characters and bands. For example, current Premier League leader Liverpool also top the table of football—uh, soccer—teams that are used as passwords. Superman appears as a password more than 333,000 times, beating out Batman’s 203,116.

People who find their passwords in the data set should change it immediately and avoid reusing passwords, NCSC said.

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password,” NCSC Technical Director Ian Levy said in the blog post.

Though a lot of password security is foisted on the user, NCSC also suggests organizations and systems administrators can take several steps. First, they can look into blacklisting the passwords in the data set. They can also lessen the user’s password burden by offering single sign-on or alternative authentication methods. They should also lets users take advantage of password managers.

“Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence,” Hunt said in the statement.