Engage Web logo - horizontal-resized
Engage Web Logo White Landscape

More than 23 million accounts use same obvious password


More than 23 million accounts use same obvious password

Protecting your online accounts with a password that can be easily guessed is like having a front door that can be unlocked with a lollipop stick. You’re basically just hoping that nobody will be rude or nosy enough to open it, but even the laziest of intruders will be happy to accept the invitation.

Still, it seems from the UK National Cyber Security Centre’s (NCSC) latest list of commonly breached passwords that people are continuing to make hackers’ jobs very easy. Even in these times when we are strongly advised, and sometimes forced, to select passwords featuring upper and lower case letters, numbers and special characters, the most commonly selected password is ‘123456’. This highly unimaginative numerical string is all that stands in the way of 23.2 million accounts.

In second place is ‘123456789’ (probably the next choice of the ‘123456’ brigade when they’re told their password is too short), and I suspect the only reason ‘password’ is as low as fourth is because many websites simply won’t allow it.

The full top 10 of these hopelessly ineffective passwords is as follows:

1. 123456
2. ‪123456789
3. qwerty
4. password
5. 111111
6. ‪12345678
7. abc123
8. ‪1234567
9. password1
10. 12345

You might be thinking “Well, I don’t use any of them, my password is something personal”. Really? Is it the name of your kids, your favourite band or your beloved football team? If your Facebook profile picture is a Liverpool badge, you constantly post on social media about the team’s games and you’re using the password ‘liverpool’, you’ve not done much better than ‘123456’. In fact, the NCSC says Liverpool are the most common football team to feature in passwords, followed by Chelsea.

The most commonly chosen names are ‘Ashley’ and ‘Michael’, selected by those opting to “secure” their accounts with the first names of their children, loved ones or even themselves. Music fans are commonly going for ‘blink182’, perhaps believing that the pop-punk band’s alphanumeric name makes it less guessable, but forgetting that just about everyone who was a teenager in the early ‘00s had ‘Enema of the State’ on their Walkman or minidisc player.

It might be easy to think that choosing obvious passwords is a trait of the ‘silver surfers’ who don’t really know what they’re doing on the web and want everything to be as simple to remember as possible, but the appearance of blink-182 on the list suggests that younger people are falling into this trap too. In 2016, Facebook CEO Mark Zuckerberg gave us one of his many reminders of why he might not be the best person to be in charge of the biggest social media site on the planet when it emerged that he had been using the password ‘dadada’ for some of his social media accounts.

Passwords need to be something you can remember, but not so obvious that someone else can easily guess them even if they don’t know you. A Liverpool fan, for example, might want to expand on ‘liverpool’ by adding their favourite player’s squad number, or the date of the first match they attended.

For example, if I were to choose ‘chester’ as my password, it would be a lot less commonly chosen than ‘liverpool’, but still pretty easy to guess among anyone who knows me, has access to my social media or even reads my bio here on this very page! What people might not know is that my first game at the Deva was a 2-1 win against Colchester United on April 9th, 1994. I can remember that pretty easily though, so what if my password was something like:


That’s not difficult for me to remember, but it avoids the obvious use of ‘Chester’ thanks to the rarely used nickname ‘Seals’, makes use of both lower and upper case letters, and includes numbers. It even contains special characters like the dash to separate the score from the date, the slashes within the date and the exclamation mark, just because any Chester victory is worthy of exclamation. At 19 characters, it’s pretty long as well.

Of course, even dafter than using a password like ‘123456’ would be to spend time putting together a much more complex one, only to share it publicly. Needless to say, ‘Seals2ColU1-9/4/94!’ is not my password!

At Engage Web, we remind businesses of the importance of not choosing passwords that are simply the name of one of their products, or the name of the company with a number after it. In these times of growing cyber risk, people need to safeguard their digital assets in the same way as they would with their physical ones.

John Murray

Get in touch

Please enable JavaScript in your browser to complete this form.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Book a consultation with Engage Web

Sorry to interrupt, but would you like to download our FREE Social Media Calendars?

Social Media Calendar Product Mock Up for web

 You can use them to plan your social media and content in advance, saving you time and getting better results. When you use our social media calendars, you'll always know what's trending and what to post about for your business.