The UK’s latest list of most hacked passwords is as bad as you’d think

Names, soccer players, musicians and fictional characters make up some of the worst passwords of the year, according to the U.K. government’s National Cyber Security Center.

But nothing beats “123456” as the worst password of all.

It’s no shock to any seasoned security pro. For years, the six-digit password has been donned the worst password of all, given its wide usage. Trailing behind the worst password is — surprise, surprise — “123456789”.

The NCSC said more than 30 million victims use those two passwords alone, according to its latest breach analysis based off data pulled from Pwned Passwords, a website run by security researcher Troy Hunt, who also runs breach notification Have I Been Pwned.

“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable,” said Dr. Ian Levy, NCSC’s technical director. “Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band.”

Weak passwords are a problem. Not only can they be easily guessed by bots trying to break into your account, they can be easily cracked if they’re ever stolen from the company in a data breach. Weak passwords are often the default credentials on Internet of Things devices, making it easy for botnets to quietly break into your smart devices and hijack them for nefarious purposes.

What can you do about it?

TechCrunch has several free security guides you can read to put you on the right path. Setting yourself up with a password manager is the first big step. Password managers generate and securely store your passwords so you don’t have to remember each one. Then, you should set up two-factor authentication, as adding an additional barrier on top of your password makes it even tougher for the most determined malicious hacker to break into your accounts.

It doesn’t take long to get secure. Take an hour out of your day and get started.