123456 is, in the password world, about as lazy as it gets.

All passwords are certainly not created equal, and some are way more common – and predictable – than others.

Cybersecurity experts are urging people to update their ‘lazy’ passwords after analysing 19billion passwords exposed by data breaches.

‘We’re facing a widespread epidemic of weak password reuse,’ explainedNeringa Macijauskaitė, information security researcher at Cybernews.

‘Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks.’

‘Simple, predictable default’ passwords like, well, ‘Password’ were among the most common passwords the Cybernews team encountered.

‘Attackers, too, prioritise them, making these passwords among the least secure,’ Macijauskaitė said.

These are called ‘default’ passwords, in part, because many new bank cards, phones or routers have them as the pre-set password, making them especially easy to crack.

If they get access, cyber crooks can deploy nasty malware to gain control of your accounts or leapfrog around anywhere else you use that same password.

Names, footie teams and Batman – the words you should never use

But another worst offender is names. ‘We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,’ the researcher said.

Around 179million passwords had the name ‘Ana’ in them, amounting to 1%.

Pop culture names, while easy to recall, are equally ‘exploitable’ to hackers. They include: Mario (9.6million), Joker (3.1million), Batman (3.9million), Thor (6.2million), and Elsa (2.9million).

Swear words, however, aren’t a sure-fire way to stay secure, warned Macijauskaitė.

Millions of leaked passwords contained the word ass (165million), f**k (16million), s**t (6.5million), dick (3.2million), and b***h (3.2million).

‘Passwords containing profanity often originate from attempts at personalisation or memorability,’ added Macijauskaitė.

‘However, such terms are prevalent in attacker wordlists and pose a substantial risk to account security.’

Food, football team names and locations should also be avoided.

An average person has around 100 passwords for roughly 200 accounts, according to anti-virus software maker NordPass.

This is yet another problem, Macijauskaitė said: ‘If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect.

‘Even without any compromise, hackers can exploit common password patterns.’

What can make passwords act less like an unbreakable lock are cases.

Almost a third (27%) of passwords analysed consisted of only lowercase letters and digits, making them highly vulnerable to ‘brute-force attacks’.

This is when hackers systematically shove every possible combination into your login screen using an automatic software that rapidly generates guesses.

There’s also the risk of ‘credential stuffing’, when hackers obtain usernames and passwords that were leaked elsewhere and reuse them to log in.

Get in touch with our news team by emailing us at webnews@metro.co.uk.

For more stories like this, check our news page.