Still Using ‘123456’? 2025 Study Reveals the World’s Weakest Passwords
In 2025, users continue to rely on the most elementary password combinations to protect their accounts. A study by Comparitech, based on the analysis of more than two billion real passwords leaked on data breach forums throughout the year, revealed that the most common passwords have remained unchanged for years — the perennial leaders are “123456,” “admin,” and “password.”
The company’s analysts compiled a list of the 100 most frequently used passwords. The top ten are dominated by familiar numerical sequences: “123456,” “12345678,” “123456789,” “admin,” “1234,” “Aa123456,” “12345,” “password,” “123,” and “1234567890.” The most popular combination, “123456,” appeared in the dataset more than 7.6 million times, while the hundredth entry, “minecraft,” appeared roughly 70,000 times—not including an additional 20,000 instances spelled with a capital letter.
Approximately one-quarter of the top thousand passwords consist entirely of digits. Nearly 39% include the sequence “123,” while 2% feature the reverse “321.” The string “abc” appeared in 3.1% of cases. Among minimalist passwords, notable examples include “111111” (ranked 18th) and even “****” (35th). Almost 4% of all popular combinations contain the words “pass” or “password,” 2.7% include “admin,” 1.6% feature “qwerty,” and 1% contain “welcome.”
The report also highlighted nationally themed examples, such as “India@123,” which ranked 53rd in frequency. Researchers noted that while such combinations may appear less predictable, they remain easily guessable.
When analyzing password length, experts identified a worrying trend: 65.8% of passwords contain fewer than twelve characters, 6.9% are shorter than eight, and only 3.2% exceed sixteen characters. Meanwhile, the ninth most popular password, “123,” is just three digits long, and the fifth, “1234,” has only four.
Researchers warn that modern cracking tools can compromise weak passwords within seconds. Short combinations are easily brute-forced, while reusing the same password across multiple sites leaves accounts vulnerable to credential-stuffing attacks using stolen login data.
A secure password should be at least twelve characters long, incorporating upper- and lowercase letters, numbers, and special symbols, while remaining as random and pattern-free as possible. Two-factor authentication further strengthens protection, preventing unauthorized access even if the password itself is compromised.
The study’s methodology was based on the collection of leaked data sets from online forums and Telegram channels. To ensure accuracy, researchers cross-referenced the leaks with public breach reports or verified the date of compromise directly with the source. Only data confirmed to originate from 2025 was included, and all personal information was anonymized. The final ranking was compiled by counting the frequency of each unique password within the cleansed dataset.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
