Everyone should know which passwords suck. Do you?
You probably already know that a password like 123456 is bad. It’s so simple and predictable that even other humans can easily guess it. But do you know all the other passwords that are just as weak?
AI search analytics firm Peec AI recently looked at a small portion of stolen password data, dating from 2019 until now. And while its analysis yielded similar results to what security researchers have already uncovered from far larger amounts of data, the findings proved the point: people really suck at creating their own passwords.
In Peec AI’s slim data set of about 100 million unique passwords, common themes we’ve seen time and time again popped up once more:
Simple number strings: 123456 is always a top weak password—about 6.6 million in this data slice. Trailing behind is 123456789 at 2.2 million, with 111111 coming in at almost one million.
Easily guessed: Password, qwerty, and abc123 all came close to one million uses each.
Common names: English language speakers leaned most on familiar names, with this data’s top 10 coming in as Michael, Daniel, Ashley, Jessica, Charlie, Jordan, Michelle, Thomas, Nicole, and Andrew.
Four-digit years: 2013, 2010, and 1986 appeared the most frequently, with years in the 1980 range the most popular. Millennials likely haven’t changed old, outdated habits of adding a memorable number string to strengthen passwords.
Sports: People love football, baseball, and soccer. Soccer teams in particular get tapped for password duty: Liverpool, Chelsea, and Barcelona cropped up as often as 70,000 times.
Band names: Apparently this set of hacked accounts had a lot of blink-182 fans (84,000!). People’s tastes run the gamut, though, because Justin Bieber made this particular list.
Fictional characters: DC fans have strong representation in this data set, with Superman appearing 86,900 times. Batman came in second with over 50,000 uses.
Seasons: Everyone’s favorite time of year is apparently summer.
This chart shows how a fast consumer-grade PC could crack a password. Dedicated hackers can choose to devote more resources to their efforts.Hive Systems
Guessable and known passwords can be cracked fast by a computer, sometimes instantly if they’re particularly weak—and pretty much everything in the list above is. And usually, most people who use 123456 or michael will reuse passwords, which leaves them vulnerable to credential stuffing attacks, too. (That is, when an attacker will try your leaked or stolen username and password on other services.)
Security experts (and yours truly) recommend unique, random passwords for this reason. Ideally, you want a mix of lowercase and uppercase letters, numbers, and special characters. Switch to this style of password, and even a shorter eight-character one theoretically would force a hacker to spend years attempting to crack it.
Keeping track of unique strong passwords for dozens (or hundreds) of accounts is difficult, which is why a password manager comes in clutch. Different types exist, ranging from the simple but convenient services built into Google and Apple’s ecosystems, cloud-based providers like Dashlane and Bitwarden, and local apps that store an encrypted vault with all your details to a single device.
A password manager may sound less secure to some ears, but trust me—it’s a heck of a lot more secure than guessable words, phrases, or number strings as passwords. Even if they’re not common ones or the exact types found on this list, you’re still scraping the bottom of the security barrel. 
© 2025 PC World 3:05am  
|
|
|
|
|
