Most common passwords of 2025
Password habits are still concerning researchers: according to the latest analysis, users still often opt for weak passwords like ‘123456’, ‘admin’, and ‘password’.

Image by Cybernews.
Password habits are still concerning researchers: according to the latest analysis, users still often opt for weak passwords like ‘123456’, ‘admin’, and ‘password’.
Comparitech researchers gathered over two billion real account passwords leaked on data breach forums in 2025 to create a list of the most common passwords.
According to the results, the top 10 most-used passwords are:
- 123456
- 12345678
- 123456789
- admin
- 1234
- Aa123456
- 12345
- password
- 123
- 1234567890
The top result, “123456”, appeared 7.6 million times, followed by 12345678, observed 3.6 million times.
Some of the other common passwords included variations of the word “password” like Pass@123, P@ssw0rd, and Pass@1234, as well as the usual abcd1234, qwerty123, and Aa123456.
Additionally, common words and names were also typically observed, such as “minecraft”, “welcome”, “gin”, and “root”. The word “minecraft”, for instance, appeared almost 70,000 times, plus another 20,000 times with the alternative casing “Minecraft”.
The researchers note a concerning trend: one-quarter of the top 1,000 passwords consisted solely of numbers, with 38.6% containing the typical “123” and 3.1% containing “abc”.
Many used passwords also consisted of one character like “111111”, which was ranked the 18th most used, followed by “********” at the 35th spot. Perhaps more surprisingly, “India@123” was the 53rd most common password,
In total, 65.8% of the analyzed passwords consisted of fewer than 12 characters, while 6.9% had fewer than 8 characters. It’s advised that any password consist of at least 12 to 14 characters, but 16 or more is recommended.
A strong password contains a combination of uppercase letters, lowercase letters, numbers, and symbols. There should be no obvious pattern to avoid falling victim to a brute force attack.
For instance, according to the table created by Hive Systems designed to show how easy it would be to brute force your password, a 12-character password containing numbers, upper and lowercase letters, and symbols would take an attacker 3bn years to crack. If your password is made up of 16 characters, that value jumps to 94qd years.
In turn, if your password consists only of numbers, in most cases, the compromise will be instant. And yet, the more random characters you add – even if just numbers – the less likely an attacker is to brute force your password. For example, even if your password contains only numbers but 16 of them, it would take a cybercriminal 2k years to figure it out. A 12-character number-only password, by contrast, would take just three months.
“The strength of your password is not everything, however. Every password should be unique so that it cannot be used in credential stuffing attacks. When possible, users should enable two-factor authentication to prevent account takeovers even if a password is compromised,” Comparitech researchers note.