Your password could be cracked in 17 seconds, experts warn on World Password Day

If your password is 123456, you are at serious risk. An email audit engine that analysed 4.3 terabytes of breached data sourced from Have I Been Pwned has found that this simple numerical sequence appears in nearly 210 million compromised accounts across the globe.

On World Password Day, security experts are calling on millions of Britons to abandon passwords that can be guessed within seconds.

Eight-character passwords cracked in 17 seconds

The scale of the threat is difficult to overstate. A report by Kaspersky found that any password consisting of eight characters or fewer can be cracked in as little as 17 seconds. For the vast majority of internet users, that level of vulnerability is the norm rather than the exception.

The world's most hackable passwords

The research reveals that the next most frequently exposed passwords after 123456 are 123456789 and 12345678 — variations that add negligible additional resistance to any cracking attempt. "Password" and "admin" round out the global top five, despite being the first guesses any attacker would typically attempt.

Beyond sequential numbers, popular names also feature heavily in compromised credentials. The most common names embedded in passwords are Daniel, Michael, Jessica, Thomas, and Michelle.

Fictional characters are similarly prevalent, with Superman, Naruto, Batman, Tigger, and Snoopy among the most frequently appearing. Liverpool Football Club features in 1.7 million exposed passwords, whilst rock band Blink-182 appears in 1.6 million.

Britain's password habits are even more concerning

NordPass's sixth annual report, which examined UK-specific password behaviour, suggests the problem is particularly acute closer to home.

Admin tops the British list, followed by 123456 and the word "password" itself. "Password1", "Fortnite21", and "qwerty123" also feature among the most common entries.

The database examined was substantial — equivalent in volume to 6,142 compact discs' worth of stolen credential data extracted from dark web leaks.

Data from 2025, but habits unchanged

Whilst the underlying data dates from 2025, experts caution that the majority of people have not updated their passwords in the intervening period. If any of the passwords listed above match one currently in use, security professionals advise changing it without delay.

Length matters more than complexity

The most effective defence is not complexity alone, but length. An eight-character password can be broken in 17 seconds, whereas a 12-character password incorporating a mixture of uppercase and lowercase letters, numbers, and symbols becomes exponentially more resistant to attack — offering a far more robust barrier against even sophisticated cracking tools.