A list of the most popular passwords of 2015 reveals the high number of people who continue to compromise their own cyber security, an expert has said.

The list, compiled by Splash Data from more than two million leaked passwords, revealed the two most popular passwords had not changed since 2011.

The password “123456” remains the most popular, followed by “password”.

• The hackers are winning. Here’s how to stop them
• What happens to your online life when you die
• The fool-proof guide to staying secure online

“Football”, “welcome”, “login” and “abc123” were included on the list of 25 most popular passwords for 2015.

Newcomers included “starwars” and “solo”, coinciding with the release of Star Wars: The Force Awakens.

Other favourites include “dragon”, “monkey”, “let me in”, and the numbers one to nine.

Click the owl for the full list 

According to Matthew Warren, professor of information security at Deakin University, the top of the list has barely changed over the past 30 years.

“Historically, since the 80s, the top passwords have been very similar,” he said.

“It shows how users haven’t learnt from history, or their experiences.”

He said information on cyber security awareness was hard to find, so the habits of people were not changing.

Try using a random password.

“Children aren’t taught at schools about choosing secure passwords, and you have to visit government websites to get the information,” he said.

Three-tier authentication is key

For anyone who finds their password on the list, Professor Warren suggests a three-tier authentication approach: a username, more complex password, and a form of biometric authentication.

He said biometric authentication was becoming more common with mobile phones, but people were still reluctant to take the extra step.

The biometric system uses unique, individual characteristics for authentication, including fingerprints and retina scans.

Professor Warren said longer passwords made no difference if they were based on simple, obvious patterns.

“People just use a string of numbers from one to nine; people always do the simplest thing,” he said.

He also recommended using a mix of upper-case and lower-case characters, and punctuation such as commas and question marks.

“None of those sort of passwords appear in the list. The list is all plain text or simple numeric strings, simple passwords, or people pretending to be superheroes,” he said.