UK users urged to boost digital safety as weak passwords prevail

New research has shown that a significant proportion of UK internet users are relying on easily guessed passwords, highlighting widespread vulnerability to cybercrime.

Analysis conducted by Uswitch Broadband has revealed that almost a quarter (24.8%) of commonly used passwords are made up of numbers only, while nearly half (49.2%) comprise letters alone. These simple constructions, often based on predictable names or common phrases, increase the risk of accounts being compromised by hackers.

Password weaknesses

The study found that keyboard patterns such as "qwerty" and straightforward numeric sequences are still widely used, despite ongoing efforts by technology providers and security advisors to encourage better practices. The password "123456" remains the most compromised, having appeared in over 132 million data breaches since 2007. It is rated as "very weak" by password management tool Bitwarden, which estimates it can be cracked by a computer in less than a second.

The next most compromised passwords include "123456789", which has featured in 45 million breaches, and "12345678", found in over 41 million breaches. Even small variations, such as "123465789", offer little additional security and are also found among the most frequently compromised access codes.

Other commonly used choices are "admin", "password", "000000", "qwerty", "123123", and patterns like "abc123". Personal names and football terms also appear regularly in password lists, with examples like "Daniel", "Ashley", "football", and "dragon" all considered highly vulnerable.

Insights from breach data

The Uswitch analysis, which drew on breach data from HaveIBeenPwned and the NordPass top 200 password list, established that passwords relying solely on letters or numbers are particularly insecure. An average numbers-only password from the list has been compromised more than 8.3 million times. Meanwhile, 14% of the passwords assessed were based on personal or common names, which were all rated "very weak" and prone to being cracked in under a second.

Special characters, often promoted as an important feature for security, were found in just 3.7% of the passwords reviewed. Even when present, they did not guarantee safety. Passwords such as "Qwerty123!", "P@ssw0rd", and "Qwerty1?" could be deciphered by automated tools in less than two seconds. One rare example of an improved password, "G_czechout", included a special character and would take a computer around four hours to crack, but it still appeared in over one thousand breach incidents.

Public concern and advice

The release of these findings comes as internet users in the UK demonstrate increased anxiety about digital security. Google has issued a warning to its 2.5 billion account holders advising them to update their login details amid reports of increased attacks. Online search engine queries in the UK for "what makes a strong password" have jumped by 133% in the past year, indicating greater public focus on protective measures.

It's tempting to recycle the same password across accounts, but if one is hacked, the rest could quickly follow. Ideally, each account should have its own unique password. At the very least, make sure your email has a strong, one-of-a-kind password, as it can be used to reset access to other services.

This guidance comes from Max Beckett, a Broadband Expert at Uswitch, who outlined a series of steps individuals can take to improve their digital safety.

With so many websites requiring logins, remembering every password can be tricky. A password manager stores them securely and keeps everything organised. That way, you don't have to remember if your Netflix login is different from your Amazon or Spotify password; the manager does it for you. If you prefer writing passwords down, that's fine too, just keep the list somewhere secure, like a locked drawer or safe.

Beckett also encouraged users to adopt a widely recommended approach for creating strong passwords.

The National Cyber Security Centre recommends using three random words for a password. The more unusual and unrelated, the better. Avoid predictable choices like birthdays, pets' names, or football teams, as these can often be found on social media. Once you've set your password, you can test its strength online to make sure it's robust enough to keep your account safe.

Even the strongest password isn't foolproof, so adding an extra layer of security is a smart move. Two-factor authentication requires an additional step, such as receiving a code on your phone, a fingerprint scan, or using an authenticator app, before you can log in. This makes it far harder for hackers to get in, even if they know your password.

Password table

The analysis provided a list of the twenty most compromised passwords in the UK, which includes well-known numeric runs and simple word-based choices. These passwords have appeared millions of times in publicly reported data breaches:

• "123456" - 132,211,338 breaches
• "123456789" - 44,509,169 breaches
• "123465789" - 44,509,169 breaches
• "12345678" - 41,952,538 breaches
• "admin" - 36,037,720 breaches
• "password" - 22,364,607 breaches
• "12345" - 19,703,101 breaches
• "000000" - 12,491,701 breaches
• "qwerty" - 12,491,701 breaches
• "1234567890" - 10,470,628 breaches
• "Aa123456" - 9,562,573 breaches
• "1234567" - 9,171,812 breaches
• "111111" - 9,134,601 breaches
• "123123" - 8,693,569 breaches
• "qwerty123" - 6,653,804 breaches
• "abc123" - 6,057,400 breaches
• "1q2w3e" - 4,852,888 breaches
• "12345678910" - 4,397,950 breaches
• "P@ssw0rd" - 4,034,619 breaches
• "password1" - 3,888,677 breaches

Improving online security

Uswitch stated that none of the most common passwords identified should be used and that even passwords rated as "good" only offer marginally improved protection compared to the weakest examples. The current guidance is to use combinations of random, unrelated words and to take advantage of password management software and two-factor authentication for enhanced protection.