All of them, as well as most of the 195 other most-common passwords listed, take fewer than two seconds to crack, the site states. More than 100 million accounts used "123456" as a password last year.
Among females, passwords such as "sunshine" "iloveyou" and "princess" are more ubiquitous; whereas the men tend to more often use such passwords as "baseball," "football," and "dragon."
"To me that says that the awareness, even at the basic password level, needs to be a real continued focus to make sure people understand what appropriate passwords look like," said Deron McElroy, regional chief for the Cybersecurity and Infrastructure Security Agency (CISA).
However, passwords are still only a first line of defense these days, and people should add three other layers of online protection to minimize their exposure to risk, McElroy said.
These include using multi-factor authentication, keeping software up to date, and being vigilant about phishing attempts (links, texts, or phone calls that attempt to get you to give up your password or other personal information).
"For the general public and mom-and-pop businesses … cybersecurity can be kind of a new and maybe abstract concept in some ways, because it's just not something they focus on all the time," McElroy told The Epoch Times.
"So, if you think about the analogy of the 1940s, 1950s, how many people locked their doors? It was just easier to get in and get out. Keep your garage door open because it was cooler at night and helped cool down that side of the house.
"We are kind of to the point where, cybersecurity-wise, we're out of the times when we can afford to be insecure because it's not neighborhood by neighborhood where the criminals are—it is global access to the internet and global access to your online presence."
1) Strong PasswordA strong password is ultimately a "very good tool," says McElroy. Using password managers such as LastPass or 1Password that generate random passwords and store passwords can be a smart choice and preferable to most in-built browser options, McElroy said.
He advises against using the same password for multiple accounts.
For years, large company databases have been hacked, with millions of usernames, passwords, and personal information stolen. Many times this information is sold to the highest bidder on the dark web, McElroy said.
If a bad actor has your email address and password for one account, it makes it easier for them to access other accounts.
People have input emails and passwords on so many sites over the years that they have perhaps forgotten or lost track of which companies have their information, including credit card numbers.
2) Multi-Factor AuthenticationAround 80 percent of breaches are caused by weak or reused passwords, according to previous years reports by Verizon. But corporate data breaches—which are outside users' control—can reveal tomes of Americans' personal information, which can be devastating.
Two-factor authentication, or multi-factor authentication (MFA) can shore up both of these issues by adding a layer of online protection.
MFA requires the user to login with their username and password, but then requires another form of verification that the user must have in hand—for example, a verification code sent to the user via email or text, a code generated by an authentication app, or a fingerprint scan on your phone.
This means a hacker can't simply break into your account if a data breach reveals your username and password.
In the 2017 Equifax data breach, 147 million people's information was stolen, including names, emails, birthdates, social security numbers, passport photo, driver's license information, and in 200,000 cases, credit card information.
Other data breaches have hit Yahoo!, LinkedIn, Facebook, and First American Financial Corp., the largest U.S. title insurance provider.
Banking data, health care records, online stores, mortgage data, and retirement accounts are all ripe targets, McElroy said. But, so are social media accounts, he warned.
"Social media can be a huge, huge dump of information that can be leveraged to, let's say, reset your password."
MFA has been around for years, but is underutilized by the masses as an extra layer of online protection—largely because it takes a little more time and can be inconvenient. However, smartphones have streamlined the process in recent years.
Getting past the inconvenience is "a mentality," McElroy said. "It takes a lot longer to try to recover that [stolen] money—if you're even successful."
Setting up MFA can usually be done by selecting that option in the Settings portion of the website or social media account you're wanting to protect.
3) Update SoftwareSoftware updates often close security loopholes and should be downloaded as soon as possible, McElroy said.
"Those patches, those updates for your software are making, by and large, your computer more secure,'' he said.
"It's really important to do those when they come out, because that is literally closing backdoors into your computer."
Ransomware operators are constantly trying to find those backdoors, McElroy said.
A ransomware attack most often occurs when a bad actor sends a benign-looking link to a person or business and when the user clicks the link, malware then locks and encrypts the data. The attacker then demands a payment to unlock and decrypt the data.
4) Be AwareEnticing you to click a link that unleashes malware or gives the bad actor access to your account is one of the most common ways attackers gain entry to personal information.
"Think before you click," said McElroy.
"Bad guys are going to use fear, uncertainty, and doubt to try to get you scared enough to click a link and trust that the social security administration needs to suspend your account, or something like that."
One of the "oldest tricks in the book" is to fool a user into thinking their account has been compromised via an email that includes a link to reset a password.
"The other thing that they've been doing is they will call you up out of the blue and say, 'Something's wrong with your account, I'm going to send you a text,'"McElroy said.
"And that text comes to your phone. And they say, 'Can you read that text to me?'
Once you read that verification code to them, they've bypassed your MFA and gained access to your account, he said.
If you're not sure if a call is legitimate, hang up and call the company using the number provided on official paperwork, the company website, or the back of your credit card.
"It can potentially save people their life savings," McElroy said. "Be a hard target"
If you think your online accounts or information have been exposed, the first thing to do is to reset your password. If you're unable to do that, contact the business or provider.
If you've had money stolen, contact your bank and the FBI's cyber division.