If you like using band names for Internet passwords, it might be best to go obscure: According to the U.K. government’s National Cyber Security Center, some of the web’s most-hacked passwords include “blink182,” “metallica,” “slipknot,” “eminem” and “50cent.”
Those five entires are included in the “global password risk list,” the top 100,000 as documented by NCSC and Have I Been Pwned’s Troy Hunt. (The list is available to download online.) Other vulnerable examples include several fictional characters (“superman,” “tigger,” “batman,” “pokemon”) and common names (“ashley,” “michael,” “daniel,” “jessica,” “charlie”), but the worst offenders lean toward obviousness and keyboard simplicity: “123456,” “123456789,” “qwerty” and “1111111.” The two numerical passwords were used by over 30 million hacking victims.
“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable,” Dr. Ian Levy, NCSC’s technical director, said in a statement. “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”
The survey was conducted on behalf of the NCSC, a part of Government Communications Headquarters and Department for Digital, Media and Sport. The NCSC hopes to reduce the risk of security breaches by raising awareness of hackers’ methods.