Main image of article Worst Popular Passwords Include 'Eminem,' '12345'

It’s 2019, and yet millions of people around the world are still relying on unsafe (but easy to remember) passwords such as ‘123456’ and ‘password’ to protect their data, according to a new study by the UK’s National Cyber Security Centre (NCSC).

The NCSC analyzed 100,000 of the most commonly re-occurring passwords “accessed by third parties in global cyber breaches.” Take a look at the following chart to see the “main offenders” among the most-used (along with the number of times each popped up):

Based on how many people lock down their systems with ‘Eminem,’ “metallica,’ ‘50Cent,’ and ‘Slipknot,’ it’s clear there’s a hefty portion of the population that’s been re-using the same awful password since roughly 2003 or thereabouts.

“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable,”Dr. Ian Levy, NCSC Technical Director, wrote in a statement that accompanied the data.

Further attempting to hammer home the obvious, Dr. Levy added: “Password re-use is a major risk that can be avoided—nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band.”

Many of the NCSC’s entries align with those on the annual “worst passwords” list generated by SplashData every year. Every year, it seems that ‘123456’ tops SplashData’s list, followed by several easy-to-guess numerical variations (‘12345678,’ ‘11111,’ and so on). ‘Qwerty,’ ‘football,’ ‘password1,’ and others are in too-frequent use.

Sysadmins and security experts can save users from themselves by implementing internal bans on certain easy-to-guess passcodes, but top-down security measures can often do only so much when it comes to protecting a company’s tech infrastructure. Every time another organization publishes a “bad password” list, it is stunningly clear that most users care more about convenience than ensuring they’re inputting only the most secure passwords. A security pro’s job is clearly never finished.