Cybercriminals are using increasingly devious scams to con internet users into revealing precious online information. Yet millions of people have saved fraudsters the bother of deploying trickery and temptation by picking bizarrely simple passwords that feature on a new hotlist of online security howlers.

One of them, for example, is “password”.

Simply typing in the word has allowed fraudsters to gain access to a staggering 3.6m accounts worldwide, according to a comprehensive review by the National Cyber Security Centre.

However, it was far from the most common password to gift them easy access. Some 23.2 million people used “123456” as their password, only to find their code was cracked. Another 3.8 million were caught out using “qwerty” - the first six letters on the top left of a standard keyboard.

The worrying lapses in online security emerge in a review of the top 100,000 passwords to be unlocked by online fraudsters, carried out by the NCSC - part of the GCHQ intelligence agency. Using favourite names, football teams, bands and fictional characters also exposed millions to hacking. The advice from the centre is simple - using three random words as a password should keep your information safe.

It comes with evidence that British internet users are seriously concerned about the prospect of being defrauded online. More than two-fifths (42%) expect to lose money through internet fraud by 2021, according to the first “UK cybersurvey” carried out by the NCSC.

The country’s intelligence and security agency said 3.8 million people use ‘qwerty’ as a password. Photograph: Alamy

While 89% use the internet to make online purchases, with 39% doing so on a weekly basis, only 15% said they know a great deal about how to protect themselves from harmful activity. A third said they relied on friends and family for advice. Less than half do not always use a strong, separate password for their email account.

Data on compromised passwords was obtained from global breaches that are already in the public domain, having been sold or shared by hackers. Favourite names, sports teams and musicians also cropped up hundreds of thousands of times among the top hacked passwords.

Some 432,276 accounts used the name “ashley”, while “michael” was used 425,291 times. Football fans also allowed their love for their club to lower their defences. The password “liverpool” was breached 280,723 times, “chelsea” 216,677 times and “arsenal” 179,095 times.

Bands were another weak spot. While “blink182” may seem like a strong email, 285,706 people had it breached as a password. As for comic characters, “superman” was the most popular, with 333,139 hacked accounts using it.