The slightly more dynamic password "123456789" was used by 7.7 million, while three million opted for the words "qwerty" and "password".
Names Ashley and Michael were common, followed by Daniel, Jessica and Charlie.
Sports nuts might want to be careful with popular English Premier League teams Liverpool, Chelsea, Arsenal and Manchester United high on the list, while American football powerhouse the Dallas Cowboys ("cowboys1") was the most used NFL team.
The top 10 most common passwords were:
1. 123456
2. 123456789
3. qwerty
4. password
5. 111111
6. 12345678
7. abc123
8. 1234567
9. password1
10. 12345
The National Cyber Security Centre says it's best to steer away from the generic words such as "iloveyou", which just missed the top 10 most common list, and opt for "random but memorable" terms to reduce the risk of being hacked.
"Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band," the centre's technical director Ian Levy said in a statement.
"Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can't guess your password."