Despite years of warnings from cybersecurity professionals, a recent study has revealed that British internet users continue to employ alarmingly weak passwords across their online accounts.
The annual review conducted by technology firm NordPass demonstrates that simple, easily guessable combinations remain the norm, presenting significant security vulnerabilities.
The research identifies “admin” as the most frequently used password in the United Kingdom, followed closely by the numerical sequence “123456”. Both represent fundamental security failures that provide minimal protection against unauthorised access. The findings suggest that public awareness campaigns regarding password security have achieved limited success in changing user behaviour.
Analysis of the top 20 most common passwords reveals a pattern dominated by obvious words, simple numerical sequences, and basic keyboard patterns. Variations of the word “password” account for five positions within this group, whilst straightforward numeric combinations such as “12345678” and “123456789” occupy an additional five places. This preference for simplicity extends beyond British borders, with users in Australia, the United States, and Germany similarly favouring “admin” as their primary password choice. Globally, “123456” emerges as the single most popular option.
Karolis Arbaciauskas of NordPass notes that the data reveals only marginal improvements in password hygiene despite sustained efforts in cybersecurity education. Compromised, weak, and reused passwords are responsible for approximately 80% of data breaches, he states, adding that criminals will continue to intensify their attacks until they encounter insurmountable obstacles.
The vulnerability of simple passwords stems from their susceptibility to dictionary attacks, a systematic method whereby hackers attempt to gain access by testing common words and their variations. Such passwords can typically be compromised within seconds. The situation is compounded by widespread password reuse, with research from Virgin Media O2 indicating that four out of five users employ identical or nearly identical passwords across multiple online accounts. This practice effectively provides hackers with a master key to numerous services once a single account has been breached.
Security experts recommend several measures to strengthen password protection. Passwords should be both lengthy and complex, either through the combination of three random words or by mixing alphanumeric characters with special symbols. Each account should have a unique password to prevent a single breach from compromising multiple services. Users are advised to immediately change any passwords that share similarities, prioritising critical accounts such as banking, email, workplace systems, and mobile services.
Password management tools offer a practical solution to the challenge of maintaining multiple complex passwords. Modern web browsers frequently integrate such functionality, with Apple providing iCloud Keychain and Android devices offering Google Password Manager. Both services can generate and securely store sophisticated passwords without requiring users to memorise them.
Two-factor authentication represents an additional security layer that should be implemented wherever available. This system requires users to provide secondary verification, typically through a code sent via text message, creating a significant barrier to unauthorised access even if passwords are compromised. Security professionals recommend activating two-factor authentication for all services that support the feature, particularly for email and financial accounts.
The persistent use of weak passwords occurs against a backdrop of increasing digital complexity, with many users managing login credentials for dozens of accounts. This proliferation of passwords has evidently led some to prioritise convenience over security, a calculation that leaves them vulnerable to increasingly sophisticated cyber attacks. The findings underscore the ongoing challenge faced by cybersecurity professionals in translating awareness into behavioural change amongst internet users.
