-
‘123456’ tops the list as the most compromised password, appearing in over 132 million data breaches[1]
-
Nearly a quarter (24.8%) of commonly used passwords are numbers only, making them easy to crack[1]
-
Almost half (49.2%) consist of letters only, often using predictable words or names[1]
-
Keyboard patterns, such as qwerty, and simple number sequences, remain alarmingly common[1]
-
Uswitch broadband experts share tips to create strong, unique passwords and protect your online accounts from cybercriminals.
Google has warned its 2.5 billion users to change their login details following reports of attackers gaining access to Gmail accounts[2]. Reflecting growing public concern, searches for “what makes a strong password” have surged by 133% over the past 12 months in the UK[3].
To help users safeguard their online accounts, new research from Uswitch.com, the comparison and switching service, reveals the most commonly hacked passwords and provides practical guidance for creating stronger, more secure logins.
The most common password ‘123456’ still puts millions at risk.
The most compromised password is ‘123456’[1]. This simple number sequence has appeared in 132 million breaches since 2007 and so should never be used[1]. According to Bitwarden, it is a “very weak” password and can be cracked by a computer in less than a second[1].
Following closely is ‘123456789’, the second most common and compromised password, appearing in 45 million breaches[1]. Like its shorter counterpart, it is extremely easy to hack, and it is also rated ‘very weak’[1].
Interestingly, ‘123465789’, ranked 189th in terms of popularity, ranks as the joint second most compromised password[1]. Despite the slight variation in number order, it remains a simple number run that can be guessed almost instantly due to its weak strength[1].
Table 1: The top 20 most compromised passwords.
|
Rank |
Password |
Popularity rank in the top 200 passwords (2024) |
Total times compromised (All-time) |
|
1 |
123456 |
1 |
132,211,338 |
|
2= |
123456789 |
2 |
44,509,169 |
|
2= |
123465789 |
189 |
44,509,169 |
|
4 |
12345678 |
3 |
41,952,538 |
|
5 |
admin |
94 |
36,037,720 |
|
6 |
password |
4 |
22,364,607 |
|
7 |
12345 |
8 |
19,703,101 |
|
8= |
000000 |
14 |
12,491,701 |
|
8= |
qwerty |
15 |
12,491,701 |
|
10 |
1234567890 |
11 |
10,470,628 |
|
11 |
Aa123456 |
151 |
9,562,573 |
|
12 |
1234567 |
13 |
9,171,812 |
|
13 |
111111 |
7 |
9,134,601 |
|
14 |
123123 |
10 |
8,693,569 |
|
15 |
qwerty123 |
5 |
6,653,804 |
|
16 |
abc123 |
16 |
6,057,400 |
|
17 |
1q2w3e |
117 |
4,852,888 |
|
18 |
12345678910 |
76 |
4,397,950 |
|
19 |
P@ssw0rd |
80 |
4,034,619 |
|
20 |
password1 |
17 |
3,888,677 |
Source: Uswitch.com
Almost half of the most common passwords feature letters only.
While the table above shows the top 20 most compromised passwords, our wider analysis of the top 200 most common passwords reveals clear patterns that could make them easy for hackers and computers to guess[1]. These include passwords made up of letters only, numbers only, simple runs, and common names or words.
Letters only dominate: Almost half (49.2%) of the most common passwords contain only letters, with no numbers[1]. Many of these are common names or words, such as ‘Daniel’, ‘Michael’, ‘Ashley’, ‘monkey’, ‘football’ and ‘dragon’[1].
Numbers-only passwords remain risky: Nearly a quarter (24.8%) of the top 200 passwords feature numbers only. The four most compromised passwords follow this pattern, along with nine others in the top 20. On average, these passwords have been compromised 8,316,887 times[1].
Common names are extremely weak: Around 14% of passwords use personal or common names. All are rated “very weak” by Bitwarden and could be cracked in less than a second[1].
Special characters provide limited protection: Only 3.7% of passwords include special characters like !, ?, @, and _. Even passwords such as ‘Qwerty123!’, ‘P@ssw0rd’, and ‘Qwerty1?’ can still be decoded in under two seconds and are considered “very weak”[1].
A rare, strong example: The strongest password with special characters was G_czechout, rated “good”. It has been compromised just 1,206 times and would take a computer around four hours to crack[1].
Uswitch broadband expert, Max Beckett, provides his top tips to secure your online accounts and manage your passwords:
-
Use a unique password for each online account.
“It’s tempting to recycle the same password across accounts, but if one is hacked, the rest could quickly follow. Ideally, each account should have its own unique password. At the very least, make sure your email has a strong, one-of-a-kind password, as it can be used to reset access to other services.
-
Use a password manager.
“With so many websites requiring logins, remembering every password can be tricky. A password manager stores them securely and keeps everything organised. That way, you don’t have to remember if your Netflix login is different from your Amazon or Spotify password; the manager does it for you. If you prefer writing passwords down, that’s fine too, just keep the list somewhere secure, like a locked drawer or safe.
-
Create a strong password.
“The National Cyber Security Centre recommends using three random words for a password[4]. The more unusual and unrelated, the better. Avoid predictable choices like birthdays, pets’ names, or football teams, as these can often be found on social media. Once you’ve set your password, you can test its strength online to make sure it’s robust enough to keep your account safe.
-
Turn on two-factor authentication (2FA).
“Even the strongest password isn’t foolproof, so adding an extra layer of security is a smart move. Two-factor authentication requires an additional step, such as receiving a code on your phone, a fingerprint scan, or using an authenticator app, before you can log in. This makes it far harder for hackers to get in, even if they know your password.”
