- New 2025 analysis of 2+ billion leaked credentials shows that the most popular passwords are trivially guessable.
- Combinations like 123456, 12345678, 123456789, admin, and password appear in millions of breached accounts.
- Common patterns persist: numeric-only strings, keyboard sequences, and simple words dominate, with many passwords under 12 characters.
- Security experts push unique, long passwords, MFA, password managers, and passkeys (FIDO2) to curb account takeovers.
It may feel convenient to log in with something simple like 123456 or password, but in 2025 that convenience comes with a steep cost: the most-used passwords are also the easiest for attackers to crack. Breach data shows that millions of accounts rely on overly predictable choices.
A large-scale review of more than 2 billion leaked credentials circulating on criminal forums this year confirms the trend: the passwords people pick most often are precisely the ones that fall first to automated tools. The evidence, compiled by independent security researchers and outlets including Comparitech, underscores a stubborn reliance on weak, reusable logins.
What the 2025 breach data reveals
Across the files examined, numeric sequences and generic words dominate. Topping the global list, the string “123456” appears in roughly 7,618,192 exposed accounts, followed by “12345678” at 3,676,487 and “123456789” at 2,866,100. Frequently seen words include “admin” (1,987,808) and “password” (1,082,010), which remain perennial favorites despite years of warnings.
- 123456: 7,618,192 appearances
- 12345678: 3,676,487 appearances
- 123456789: 2,866,100 appearances
- admin: 1,987,808 appearances
- password: 1,082,010 appearances
- 111111: 326,154 appearances
- admin123: 306,343 appearances
- minecraft: 69,464 appearances (notably placed at the tail end of the top 100)
These choices are not just common; they are highly predictable under brute-force and dictionary attacks. Once a single weak password is uncovered, attackers frequently try it elsewhere, making credential stuffing a fast path to more account takeovers.
Patterns that make passwords easy to guess
Analysts found that among the most frequently used passwords, about one in four are purely numeric, reflecting a bias toward ease of typing and memory over security. That convenience mindset fuels widespread reuse and keeps attack success rates uncomfortably high.
Beyond plain numbers, recurring building blocks show up again and again: roughly 38.6% include the sequence “123”, while around 2% use descending numbers such as “321”. Simple letter runs are common too, with about 3.1% containing “abc”, and keyboard patterns like “qwerty” still in circulation.
Common words are another weak spot. Variants of “pass” or “password” appear in about 3.9% of the most-used logins, “admin” shows up in roughly 2.7%, and “welcome” in about 1%. These terms are among the first things automated cracking tools try.
How short and simple passwords fall in seconds
Length and complexity matter. In the datasets reviewed, around 65.8% of exposed passwords are under 12 characters, and approximately 6.9% have fewer than 8. Only about 3.2% exceed 16 characters, leaving the vast majority vulnerable to speedy guessing and cracking.
Short, repetitive strings like “123” and “1234” show up millions of times, which means they are preloaded into attackers’ dictionaries. Combined with widely available breach data, these patterns enable criminals to compromise new accounts in seconds and then leverage password reuse to pivot into email, social networks, and even banking portals.
Practical ways to protect your accounts
Experts continue to recommend a layered approach: adopt long, unique, and complex passwords for every account, and turn on multi-factor authentication (MFA) wherever available to blunt the impact of a stolen password.
- Create passwords that are 12+ characters and mix uppercase/lowercase letters, numbers, and symbols.
- Avoid personal info such as names, birthdays, or common phrases.
- Enable two-step verification (authenticator app or hardware key preferred).
- Use a reputable password manager to generate and store unique credentials.
Looking ahead, passkeys based on the FIDO2 standard offer a more resilient alternative to passwords. They rely on cryptographic keys tied to your device and authenticate with biometrics or a local PIN. Because only a public key is shared with websites, even a site breach won’t expose a reusable secret, making phishing and credential reuse much harder.
While adoption of these safer sign-in methods is growing unevenly across regions and services, the guidance remains consistent: move away from common, short, and reused passwords, and pair strong credentials with MFA or passkeys to reduce the risk of account compromise.
The evidence from 2025 is clear: the world’s most-used passwords are also the most insecure. Popular choices like 123456, admin, and password continue to dominate breach logs, and familiar patterns make them trivial to guess. Choosing longer, unique credentials and enabling strong second factors are straightforward steps that dramatically lower the odds of a successful attack.
