- Most-used password was “123456,” appearing about 7.6 million times, followed by “12345678” (3.6 million uses), and other weak choices such as “admin,” “password,” and easily recognizable patterns like “Aa123456” and “12345.”
- Most analysed passwords fall short of recommended security standards—65.8% were under 12 characters, and nearly 7% had fewer than 8 characters.
Despite years of warnings from cybersecurity experts, poor password habits remain widespread and worrisome, according to the latest findings from Comparitech.
The firm’s 2025 analysis, which examined over two billion real passwords leaked on data breach forums this year, reveals that millions of users continue to rely on easily guessed combinations—posing a significant risk for both individuals and the organisations they access.
The data shows the most-used password was “123456,” appearing about 7.6 million times, followed by “12345678” (3.6 million uses), and other weak choices such as “admin,” “password,” and easily recognisable patterns like “Aa123456” and “12345.”
Variations of common words and names, like “minecraft,” “welcome,” and “root,” also featured prominently, with “minecraft” alone being used nearly 90,000 times in various forms.
List of the Top 10 most-used passwords in 2025:
- 123456
- 12345678
- 123456789
- admin
- 1234
- Aa123456
- 12345
- password
- 123
- 1234567890
Researchers found alarming trends within the data:
- 25 per cent of the top 1,000 passwords consisted solely of numbers.
- 38.6 per cent contained the sequence “123,” and 3.1 per cent included “abc.”
- Weak single-character passwords like “111111” and “********” ranked among the most common.
Most analysed passwords fell short of recommended security standards—65.8 per cent were under 12 characters, and nearly 7 per cent had fewer than 8 characters. Security experts generally advise passwords be at least 12–14 characters—16 or more is optimal—and include a mix of uppercase, lowercase, numbers, and symbols to thwart brute-force attacks.
Comparitech cited Hive Systems research indicating that a 12-character password using a blend of numbers, letters, and symbols would take an attacker three billion years to crack, whereas a 16-character complex password could take up to 94 quadrillion years.
In stark contrast, a password of just numbers can often be compromised instantly, unless extended to 16 digits, which could still take a cybercriminal roughly 2,000 years.
Best practices for secure passwords:
- Use more than 12–14 characters (16+ preferred)
- Mix uppercase, lowercase, numbers, and symbols
- Avoid obvious patterns or common phrases
- Opt for unique passwords on each site
- Enable two-factor authentication wherever possible
Comparitech’s researchers stress that password complexity alone is not a guarantee. “Every password should be unique so that it cannot be used in credential stuffing attacks. When possible, users should enable two-factor authentication to prevent account takeovers even if a password is compromised,” the analysis concluded.
As digital threats evolve, security experts warn that organizations must continue to educate users—and enforce robust password and authentication protocols—to avert breaches and protect both personal and business data.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
