Don't use these passwords: These are the 10 logins most regularly found for sale online

People are still using common passwords and re-using them across multiple accounts. Cyber criminals are taking advantage.
Written by Danny Palmer, Senior Writer

Over 24 billion usernames and passwords are up for grabs on cyber-criminal marketplaces and the amount of breached credentials is still rising as hackers take advantage of weak and re-used passwords. 

Analysis by cybersecurity researchers at Digital Shadows found that there's been a 65% increase in usernames and passwords sold, traded or dumped in cyber-criminal forums and underground marketplaces. 

Of the usernames and passwords available across hundreds of underground marketplaces, 6.7 billion were unique – up by a third when compared with previous analysis in 2020 – indicating that many usernames and passwords are being accessed and stolen multiple times, likely without the victim even being aware. 

SEE: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed

One of the reasons for this trend is because many accounts use common or weak passwords, making them easy for cyber criminals to steal simply by just guessing passwords. 

The paper says the most commonly leaked password that was found over 30 million times – and accounting for 0.46% of all unique passwords, or nearly one in 20 of the total – is '123456', which is one of the simplest passwords around. There were also millions of instances of other simple passwords, including over 17 million cases of '123456789', over 10 million passwords which are 'qwerty', 10 million which are '12345', and almost nine million that are simply 'password'. 

The 10 most common passwords found in the data:

  • 123456
  • 123456789
  • Qwerty
  • 12345
  • Password
  • Qwerty123
  • 1q2w3e
  • 12345678
  • 111111

According to the Digital Shadows report, of the 50 most commonly used passwords, 49 can be cracked in under one second via easy-to-use tools commonly available on criminal forums that are often free or for sale for small amounts. That means that if someone is using one of these passwords and they've not yet been hacked, it isn't going to be hard for cyber criminals to do so. 

"The top 50 is a mix of what you'd expect: almost all are incredibly weak, easily guessable, and related to something the user could easily remember," the researchers said.

"We saw strings of easily remembered numbers, like 123456 … and it's painful to admit that was the most common password. That password actually represented 0.46 percent of our total number of the 6.7 billion unique credentials." 

The researchers noted that although probably a big portion of these top passwords were used for mundane accounts, like a TV or smart thermostat, they're also likely to be in wide use across more sensitive accounts.  

One of the most common forms of cybersecurity advice is that users should use strong, unique passwords, but with so many common and weak passwords posted on underground marketplaces, it appears that the message isn't getting through. So why is this? 

Passwords are complicated, and remembering those complex trains of letters and numbers is something we find hard. "We are not programmed that way – our brains don't work that way – so it is a hard and complex task for us," Stefano De Blasi, cyber-threat intelligence analyst at Digital Shadows told ZDNet. 

The number of different accounts is also a problem as we're told it's good cybersecurity hygiene to use a different password for each of these accounts. But it's difficult to remember many different passwords, so many people choose convenience over security – and use the same passwords repeatedly.  

"Cybersecurity should be important for everyone, but not everyone is concerned," said De Blasi. 

An individual getting their account breached is damaging enough, but if the account is one that's used on a corporate network – or their corporate password is the same as a personal account that gets breached – that can leave whole businesses vulnerable to cyberattacks.

Not only could cyber criminals gain access to networks in order to steal more usernames and passwords, they could steal sensitive information, financial details, or use access to networks to plant malware or ransomware.

SEE: The 6 best password managers: Easily maintain all your logins

Remembering passwords is difficult, but using a unique password for each account can go a long way towards helping to stay safe online. One of the simplest ways to do this is to use a password manager, which can generate and store complex passwords for you. 

"Using password managers, is the first step. They're super easy to set up. It takes really a second to have them generate a secure password and use that," said De Blasi. 

But even if you do have strong passwords, the account isn't immune to being breached – it's possible that the credentials could be stolen in a phishing attack, taken in a cyberattack against a corporate network, or simply leaked by accident. 

It's, therefore, important to set up multi-factor authentication (MFA) on any accounts that allow it, which provides an extra barrier against attacks trying to exploit exposed passwords. 

And in the event of a password being exposed or stolen, it's important to change the password as soon as possible to stop cyber criminals from having access to it.  


Editorial standards