Even in 2025 — an era where artificial intelligence can create music, identify deepfakes, and forecast cyber threats — password security continues to be an issue for individuals. A recent study conducted by the cybersecurity firm Comparitech highlights that common passwords have not changed significantly over the past ten years, with “123456,” “admin,” and “password” maintaining their positions at the top of the global list.
The report assessed over two billion real passwords leaked on data breach forums throughout this year, revealing a concerning trend: despite the rise in cybercrime and ongoing awareness campaigns, countless individuals remain dependent on easily compromised credentials.
Highlights
Password Usage Trends
According to Comparitech, nearly one in four of the top 1,000 passwords consists solely of numbers, with 38.6 per cent incorporating “123” and 2 per cent opting for “321.” Sequences such as “abc” appeared in over 3 per cent of all compromised credentials. Traditional weak choices like “111111,” “1234,” “password,” “admin,” and “qwerty” are still prevalent, alongside approachable words like “welcome.” Gamers are also among the offenders; “minecraft” is listed as the 100th most frequently used password, surfacing nearly 70,000 times.
Regional Variations in Password Strength
The study also uncovered a regional trend: “India@123” ranked 53rd globally, demonstrating that incorporating local elements into passwords does not necessarily enhance their security.
Short Passwords as a Vulnerability
Short passwords present the most significant vulnerability. Almost two-thirds of all compromised passwords contained fewer than 12 characters, with many even falling below eight. The ninth-most frequent password, “123,” is merely three digits long. The report cautions that short passwords are particularly vulnerable, as modern cracking tools can generate billions of guesses every second.
The Risks of Reusing Weak Passwords
Weak passwords compromise more than just individual accounts. Once hackers access one leaked password, they often reuse it across various platforms, a strategy known as credential stuffing. Consequently, a single password like “123456” could potentially provide access to email, banking, and streaming accounts simultaneously.
Recommendations for Stronger Password Habits
Researchers from Comparitech encourage users to cultivate better password practices: employ passwords that are at least 12 characters long, combining upper and lowercase letters, numbers, and symbols. Every account should utilize a distinct password, and implementing two-factor authentication (2FA) remains one of the simplest and most effective forms of protection.
The firm created its 2025 dataset by compiling leaked credentials from Telegram channels and dark web forums, ensuring their authenticity and removing personal data prior to analysis.
The takeaway, though well known, is disheartening: while hackers continue to advance in their techniques, the majority of users have made little to no progress. Experts advise that if a password still contains “123,” it is certainly time for a reset.
