The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

123456 - 23.2 Million Cyber Victims Used This Password

23.2 million victims worldwide were caught out by using 123456 as their password.
28 June 2019 | Updated 08 July 2019

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as their password.

Brits have been urged to apply steps to stay safe online after results of the UK Cyber Survey exposed exploitable gaps in their personal security knowledge and businesses have been warned to say no to weak passwords being used by employees. the UK National Cyber Security Centre (NCSC) is urging the use of three random words rather than a single word such as a name or a football team.

Amongst the results – which have been published in full on - were that:

  • Only 15% of individuals say they know a great deal about how to protect themselves from harmful activity.

  • The most regular concern is money being stolen – with 42% feeling it likely to happen by 2021.

  • 89% use the internet to make online purchases – with 39% on a weekly basis. Much of this is done from a work or BYOD computer or phone.

  • One in three rely on friends and family for help on cyber security rather than their employer.

  • Young people more likely to be privacy conscious and careful of what details they share online.

  • 61% of internet users check social media daily.

  • 70% always use PINs and passwords for smart phones and tablets.

  • Less than half do not always use a strong, separate password for their main email account.

The NCSC has also published separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.

The results show a huge number of regularly used passwords breached to access sensitive information.

The most used were Premier League football teams; musicians; fictional characters; and names - ashley was used 432,276 times. liverpool (280,723); blink182 (285,706); superman (333,139); michael (425,291); chelsea (216,677; 50cent (191,153); qwerty (3.8m); manutd (59,440); batman (203,116).

Dr Ian Levy, NCSC Technical Director, said: “The NCSC has published lots of easily applicable advice to make individuals and businesses much less vulnerable.

“Password re-use is a major risk that can be avoided - nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Tell employees to be creative and use words memorable to them, so people can’t guess your password.”

Margot James, DMCS’ Digital and Creative Industries Minister, said:  "Cyber security is a serious issue but there are some simple actions everyone can take to better protect against hackers. We shouldn't make their lives easy so choosing a strong and separate password for email accounts is a great practical step."

David Lidington, Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, said: "Given the growing global threat from cyber attacks, these findings underline the importance of using strong passwords at home and at work."



The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers.

The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

Troy Hunt said: “Making good password choices is the single biggest control consumers have over their own personal security posture.

“We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them. Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people and businesses create a more secure online presence.”

Picture: 23.2 million victims worldwide were caught out by using 123456 as their password.


Article written by Brian Shillibeer | Published 28 June 2019


Related Articles

Learning To Be Tough On Weak Passwords

East Ayrshire Council has blocked weak passwords after an annual audit revealed their 6,000 employees were leaving the organisation open to cyber threat. It was 2017...

 Read Full Article
Attack On Critical National Infrastructure Imminent

Over half of the respondents to a survey have said they believe an attack on critical national infrastructure is imminent. Most respondents also think the convergence...

 Read Full Article
Callow Youth Blamed for Security Breaches

Younger employees have been identified as the main culprits for security breaches in the workplace in a study by Centrify of UK senior decision makers and...

 Read Full Article
Is BYOD Creating A GDPR Risk For Your Business?

Does your Bring Your Own Device (BYOD) stance have the potential to create risks relating to data protection or breaches, as a result of staff using a single smartphone...

 Read Full Article
Two Million Fleet Drivers To Revalidate Driving Licence Data Consent

There are over two million drivers who will have to revalidate their driving licence data consent, writes Malcolm Maycock, Chair of the ADLV. Whilst this is a mammoth...

 Read Full Article
Raising The Bar – Consent Under The GDPR

Straight from the horse's mouth, Steve Wood, Deputy Information Commissioner, writes for ThisWeekinFM on the topic of 'consent', how to get it and what to do...

 Read Full Article
Denial Of Service Costs Escalate

A DNS Threat Report has revealed the cost per attack has increased by 57% to $715,000 for organisations globally. EfficientIP, a specialist in DNS security to ensure...

 Read Full Article
Are You Ready For Business Change?

Andrew Carwardine offers 7 Steps to Change & Put Process Back On The Agenda. Thanks to GDPR, processes are back on the agenda but why the wait? Shouldn't we...

 Read Full Article
Crown Prosecutions Service Prosecuted - And Other GDPR-type Convictions

You could hardly make it up but the Crown Prosecutions Service has been fined after losing victim interview videos - PLUS a variety of convictions including a...

 Read Full Article
GDPR - What A Scam

GDPR has gifted scammers with a new hook for sending phishing emails. Many internet users are now receiving emails from organisations that they have online dealings with,...

 Read Full Article