This weekend at BSIDES London it was great to have the UK National Cyber Security Center (NCSC) (the UK’s technical authority on cyber security) give a talk about passkeys!

I’m not going to repeat the entire talk talk points, but essentially a key challenge we have in the cyber security world is that many many many incidents involve credential theft.

There’s a really important part here that was highlighted which is people have a ‘MyFavePassw0rd!’

If you have worked with me, follow me on social media or talked to me about cyber security you will probably hear me talk about passwords (and how bad they are a lot!). As a community, industry etc. we know passwords are a major problem.

Now a good question here is why are people so bad at setting passwords and why don’t people do what all the nerds do and just use password managers, hardware tokens and MFA all the things? Because change is hard, it’s not convenient. But passkeys kind of changes that. They are easy to setup, easy to use and largely ‘just work’.

So let’s use an LLM to investigate about Why people have a favorite password.

GROK PROMPT: can you show me research into how people tend to have a favorite password

Research into How People Tend to Have a "Favorite" Password

Research into password habits consistently shows that many people rely on a small set of "favorite" passwords — often reused across multiple accounts with minor variations. These are typically based on personal, memorable elements like pet names, birthdays, favorite numbers, or simple sequences. This behavior stems from convenience but significantly increases security risks.

Key Findings from Studies

High Rates of Password Reuse: A majority of users reuse passwords despite awareness of risks.
85% of users worldwide reuse passwords across multiple sites (Bitwarden World Password Day Survey, 2025).
Up to 94% of leaked passwords show reuse or duplication (CinchOps analysis of 19 billion passwords, 2025).
Nearly one in five Americans reuse the same password across accounts (Security.org, 2024-2025 report).
Common "Favorite" Elements: Passwords often incorporate personal information for memorability.
About 25% include personal details like names, birthdays, or pet names.
Sequences like "123456" remain the most common globally, crackable in seconds (NordPass Top 200 Most Common Passwords, 2025).
Psychological Reasons for "Favorite" Passwords

Convenience and Cognitive Load: Humans can reliably remember only a limited number of complex items, leading to reuse of familiar patterns to reduce mental effort.
Familiarity Bias: Users prefer emotionally significant elements (e.g., pet names or loved ones' details), which feel unique but are predictable.
Fear of Forgetting: The primary driver of reuse is avoiding loss of access.
Overconfidence: Many believe simple tweaks (e.g., adding "1") make passwords secure.
Common "Favorite" Passwords

Analyses of leaked data reveal persistent weak patterns:

Globally: "123456" (most common, used millions of times).
Variations: "password", "admin", keyboard patterns.
Themes: Pet names, sports terms, or simple modifications like "P@ssw0rd".
These habits persist despite high awareness — over 90% know reuse is risky, yet most continue due to the security-convenience tradeoff.

Recommendations

To mitigate risks:

Use password managers for unique, complex passwords.
Enable multi-factor authentication (MFA).
Avoid frequent forced changes, which encourage weaker habits (per NIST guidelines).
Cited Research Reports

NordPass Top 200 Most Common Passwords (2025): https://nordpass.com/most-common-passwords-list/
Bitwarden World Password Day Global Survey (2025): https://bitwarden.com/resources/world-password-day/
Specops Software Breached Password Report (2025): https://specopssoft.com/our-resources/most-common-passwords/
Security.org Password Manager Industry Report (2024-2025): https://www.security.org/digital-safety/password-manager-annual-report/
CinchOps Password Leak Study (2025): https://cinchops.com/password-leak-study-unveils-alarming-2025-trends-94-of-passwords-reused/
LastPass Psychology of Passwords Reports (various years): https://www.lastpass.com/resources/reports/psychology-of-passwords

Key takeaway for me here is:

These habits persist despite high awareness — over 90% know reuse is risky, yet most continue due to the security-convenience tradeoff.

This mirrors my real world experiences. Cyber/Security nerds have to go out of their way to change their default human behaviors, but most people do not do this.

Final Thoughts of the Day

So, the battle to change behaviors is a very challenging one, but if we had passkeys everywhere, we might just be able to do that without people really noticing.

We need to dive more into passkeys but I’ll save that for another day! The key thing here is, we are going to be getting some new guidance appear in this space in the near future! So thanks for Dave C (and team), you delivered a great talk and hope for the future, maybe one day, passwords will no longer be a problem!