The most commonly leaked online passwords have been revealed after experts analysed huge data sets made public in recent hacks. The study shows that millions of people are using incredibly simplistic and easy to guess passwords, putting them at risk from hackers who could easily access their personal online accounts.
Database firm Red9 said it looked at the number of times passwords appeared in publicly available data breaches from several sources and found the most commonly used password was ‘123456’, which had appeared a staggering 42,542,807 times in data breaches.
If you’re using ‘123456’ as a password for any of your online accounts or devices, you should change it immediately.
The research showed the second most commonly breached password was ‘123456789’, found 18,313,580 times, followed by ‘qwerty’ which was hacked 10,713,794 times. Also seen millions of times were ‘password’, ‘1234678’, ‘111111’, ‘qwerty123’ and ‘1q2w3e’.
“The findings highlight the importance of heightened awareness regarding password security, as certain commonly used passwords continue to pose significant vulnerabilities,” Mark Varnas, Founder of Red9 said. “In light of these findings, users are strongly encouraged to adopt more robust password practices to enhance their digital security.”
The research said many of these most commonly used hacked passwords can be cracked “instantly” by hackers who use what are known as brute force calculators – simple computer programs – to quickly figure out your password and gain access to your personal accounts.
Numerical-only passwords made up six of the top ten leaked passwords. Any password which has only one kind of character in it is the most easily broken, for example a password that only numbers, or only lower case letters.
“Employing a combination of uppercase and lowercase letters, numbers, and special characters, and avoiding easily guessable information such as names and birthdays, can significantly bolster the resilience of passwords against unauthorised access,” Varnas said.
“Regularly updating passwords and refraining from using identical ones across multiple accounts, further fortifies your defence against potential security threats.”
Here are the top 20 most breached passwords according to the study:
Rank |
Password |
Times appeared in breaches |
1. |
123456 |
42,542,807 |
2. |
123456789 |
18,313,580 |
3. |
qwerty |
10,713,794 |
4. |
password |
10,382,543 |
5. |
12345678 |
6,901,438 |
6. |
111111 |
5,070,941 |
7. |
qwerty123 |
4,880,569 |
8. |
1q2w3e |
4,486,025 |
9. |
1234567 |
4,351,342 |
10. |
1234567890 |
4,130,502 |
11. |
abc123 |
4,034,851 |
12. |
123123 |
3,897,129 |
13. |
12345 |
3,508,324 |
14. |
password1 |
3,327,959 |
15. |
1234 |
2,633,239 |
16. |
iloveyou |
2,355,034 |
17. |
1q2w3e4r5t |
2,148,210 |
18. |
qwertyuiop |
2,116,445 |
19. |
admin |
1,786,404 |
20. |
123 |
1,783,558 |
Red9 said it analysed publicly available data breaches from NordPass, Splash Data, National Cyber Security Centre, and “other” cyber security organisations, before running them through the popular site HaveIBeenPwned.
You can also use HaveIBeenPwned for free to see if your email address has been part of a data breach. If it has, it shows you which accounts and services so you can take steps to protect your data by changing your passwords.