Despite the number of high-profile cybersecurity breaches, millions of people continue to use default or easy-to-guess passwords for work and personal accounts, leading to increased risk of security incidents, according to a Sunday report from the UK’s National Cyber Security Centre (NCSC).

The report includes the top 100,000 passwords from the Have I Been Pwned data set to determine which regularly used passwords have been hacked the most often.

SEE: Password managers: How and why to use them (free PDF) (TechRepublic)

Here are the most commonly used passwords revealed in data breaches, according to the report:

  1. 123456 (23.2 million)
  2. 123456789 (7.7 million)
  3. qwerty (3.8 million)
  4. password (3.6 million)
  5. 111111 (3.1 million)

Rounding out the top 10 most hacked passwords are 12345678, abc123, 1234567, password1, and 12345, the report found.

Other commonly used passwords revealed in breaches included the names ashley (432,276) and michael (425,291); the musicians blink182 (285,706) and 50cent (191,153); and the fictional characters superman (333,139), naruto (242,749), and tigger (237,290).

“Password re-use is a major risk that can be avoided–nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band,” NCSC technical director Ian Levy said in a press release. “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Password best practices

The report also surveyed 1,350 UK citizens about their cybersecurity practices. Only 15% said they know a great deal about how to protect themselves from harmful activity online, and 42% said they expect to have money stolen on the internet in the next two years.

While 80% of respondents agreed that cybersecurity is a high priority, another 46% said information about how to be secure online is confusing, the report found.

Only about half of respondents said they always use a strong, separate password for their main email account than for other accounts, according to the report.

When it comes to creating a strong password, long, complicated options are not always best, according to the NCSC. One good option is to make your password three random words strung together, as this can be memorable for you, but difficult for someone to guess.

For more, check out the Top 5 ways to pick a secure password on TechRepublic.