Once again, it’s 123456: the password that says ‘I give up’

The essence of most people’s regard for cybersecurity: we’re DOOMED.

That’s one of the key takeaways from the UK’s National Cyber Security Centre (NCSC), which released the results of its first ever UK cyber survey on Sunday, along with a list of the most craptacular passwords found most often in breached databases.

The findings were released ahead of the NCSC’s CYBERUK 2019 conference in Glasgow this week.

Some of those doomy gloomy findings: 70% of the 1,350 Brits surveyed between November 2018 and January 2019 believe they’re going to be cyber-pounced on sometime in the next two years, and it will put on some hurt, aka a “big personal impact.”

Many people – 37% – think that getting mugged online for money or personal details is inevitable these days. Losing money is the biggest concern, with 42% feeling it’s likely to happen by 2021. That’s not keeping them from buying stuff online, though: 89% are using the internet to make online purchases, and 39% say they do so on a weekly basis.

Although 80% said that cybersecurity is a “high priority,” that doesn’t mean that the doomed plan to do anything about it. In fact, some of the groups most likely to say it’s a priority are the least likely to take protective action. For example, older people – those aged 55-64 – are the likeliest to say it’s a high priority, and 16-24 year-olds are least likely to prioritize it. However, the youngsters are more likely to say they’re capable when it comes to cybersecurity, and they’re more likely to flip the switch on some protection.

Protective action like, say, these things, which these numbers of people are likely to do “always”:

  • Use password/passcode/PIN to unlock smartphones or tablets: 70%
  • Use a strong and separate password for main email account: 55%
  • Install the latest software and app updates once you notice that they are available: 46%
  • Check emails, texts or social media messages, including those from known contacts, to see whether they are genuine: 35%
  • Turn on and use two-factor authentication (2FA) for your main email account: 25%
  • Report any phishing emails by hitting the ‘Spam’ or ‘Report phishing’ button: 21%
  • Save passwords using a password manager on smartphone or tablet: 14%

Those and other security behaviors cited in the survey are typically more prevalent among 16-54 year olds, with drop off among those aged 55+. Besides being young, being well-heeled also helps, with affluent people reporting better security hygiene. The survey noted that regardless of age, there are also variations due to levels of internet usage and device ownership.

We can surmise that, as we’ve heard before, much of the turnoff comes from confusion. Almost half – 46% – of the people surveyed said that instructions about staying safe online are confusing.

Is “Confusion” a dEc3ntPassw0rd?

For years, “This is too hard!” has been the reason cited for why people use easy-to-remember passwords such as anniversaries, or their pets’ names, or, of course, one of the picks from the rogues’ gallery of the most frequently spotted passwords that turn up in breached databases.

The NCSC, in collaboration with Have I Been Pwned’s Troy Hunt, released a file containing his data set’s top 100,000 most commonly reoccurring breached passwords. You can download the full file here. If you spot any of your own passwords on that list, it’s imperative that you change it – whatever account(s) it’s supposed to be protecting are sitting ducks.

In that list, “123456” once again showed up at the tippity top, being found in use 23.2m times. While there’s nothing that whispers “I give up” quite as fervently as that one, No. 2 comes close: it was “123456789,” being found 7.7m times.

Also making their many, predictable appearances were these gnarly, old, easily guessables:

  • qwerty (3.8m)
  • password (3.6m)
  • 1111111 (3.1m)

Then too, there are names used as passwords: “ashley” took the cake as the most popular, appearing 432,276 times in breached databases. Liverpool won when it came to the most frequently found Premier League football team names, while blink182 won it for musician names. “Superman” showed up as the most common fictional character name.

These are all weak passwords, but you don’t have to use ones like this. Best practice is to combine upper/lowercase letters with digits and punctuation/special characters – make them as long and complex as possible.

And, of course, one password isn’t enough. You need to have a different password for each online account you have.

Nobody expects you to remember a grocery list worth of complicated passwords, and that’s why we believe in using password managers to create them and/or to store them all and fill them in.

Are those hard to use? Well, they’re more involved than “ashley,” but not beyond the grasp of most people – particularly if they fear getting victimized by cybercrime, which is a very wise thing to worry about.