123456 is, in the password world, about as lazy as it gets.
All passwords are certainly not created equal, and some are way more common – and predictable – than others.
Cybersecurity experts are urging people to update their ‘lazy’ passwords after analysing 19billion passwords exposed by data breaches.
‘We’re facing a widespread epidemic of weak password reuse,’ explainedNeringa Macijauskaitė, information security researcher at Cybernews.
‘Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks.’
‘Simple, predictable default’ passwords like, well, ‘Password’ were among the most common passwords the Cybernews team encountered.
If they get access, cyber crooks can deploy nasty malware to gain control, or leapfrog around your accounts.
Passwords you should never use
123456
123456789
qwerty
password
12345
qwerty123
1q2w3e
12345678
111111
1234567890
‘Attackers, too, prioritise them, making these passwords among the least secure,’ Macijauskaitė said.
These are called ‘default’ passwords, in part, because many new bank cards, phones or routers have them as the pre-set password, making them especially easy to crack.
Names, footie teams and Batman – the words you should never use
But another worst offender is names. ‘We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,’ the researcher said.
Around 179million passwords had the name ‘Ana’ in them, amounting to 1%.
Pop culture names, while easy to recall, are equally ‘exploitable’ to hackers. They include: Mario (9.6million), Joker (3.1million), Batman (3.9million), Thor (6.2million), and Elsa (2.9million).
Swear words, however, aren’t a sure-fire way to stay secure, warned Macijauskaitė.
Millions of leaked passwords contained the word ass (165million), f**k (16million), s**t (6.5million), dick (3.2million), and b***h (3.2million).
‘Passwords containing profanity often originate from attempts at personalisation or memorability,’ added Macijauskaitė.
‘However, such terms are prevalent in attacker wordlists and pose a substantial risk to account security.’
Food, football team names and locations should also be avoided.
An average person has around 100 passwords for roughly 200 accounts, according to anti-virus software maker NordPass.
This is yet another problem, Macijauskaitė said: ‘If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect.
How to create strong passwords
- All passwords should be at least 12 characters long, includes uppercase, lowercase letters, numbers, and at least one special symbol
- Use password managers that create and store unique, strong passwords.
- Never reuse the same password.
- Avoid recognisable words, like names and places.
- Enable multi-factor authentication (MFA) wherever possible.
‘Even without any compromise, hackers can exploit common password patterns.’
What can make passwords act less like an unbreakable lock are cases.
Almost a third (27%) of passwords analysed consisted of only lowercase letters and digits, making them highly vulnerable to ‘brute-force attacks’.
This is when hackers systematically shove every possible combination into your login screen using an automatic software that rapidly generates guesses.
There’s also the risk of ‘credential stuffing’, when hackers obtain usernames and passwords that were leaked elsewhere and reuse them to log in.
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
