"123456," "admin," and "password" Still Dominate Most Popular Passwords in 2025

Despite years of cybersecurity warnings, the passwords "123456," "admin," and "password" remain among the most commonly used combinations, according to new research from Comparitech analyzing over two billion passwords leaked in 2025.

Same Bad Habits, Different Year

Comparitech specialists examined passwords distributed on hacking forums, Telegram channels, and other platforms throughout 2025. The results show that cybersecurity education has made little impact on user behavior—simple, predictable passwords continue to dominate.

The "leaders" list includes not only classics like "admin" and "password" but also numeric sequences from 1 to 9. Newer variations have also cracked the top 100, including "Aa123456" in sixth place and "Aa@123456" in thirteenth place.

Users frequently combine letters from the keyboard's top row (qwerty) with numbers, creating variants like "1q2w3e4r." Simple, short, common words also appear frequently—the password "gin" ranked 29th, while "minecraft" appeared 69,464 times in the dataset.

Analysts attribute these findings to human laziness in online security practices.

Key Statistics from the Comparitech Report:

• 25% of the 1,000 most popular passwords consist solely of digits
• 38.6% contain the digit sequence "123" (another 2% contain "321")
• 3.1% of passwords contain the letter sequence "abc"
• Many common passwords consist of a single repeated character (for instance, "111111" ranks 18th, while "********" ranks 35th)
• 3.9% of the 1,000 most common passwords contain some variation of "pass" or "password"
• 65.8% of analyzed passwords were shorter than 12 characters, with only 3.2% containing 16 characters or more

Why This Matters

"Modern password-cracking programs easily handle simple combinations," the study's authors warn. "Popular passwords are guessed instantly, and overly short ones are cracked quickly using brute-force methods."

Security Recommendations

Specialists recommend using biometric passkeys instead of passwords where possible. When passwords are necessary, follow these guidelines:

Minimum requirements:

• At least 12 characters long
• Combination of lowercase and uppercase letters
• Numbers and symbols included

Better option: Long passphrases

Passphrases are easier to remember and harder to crack. Simply adding one character to a long passphrase significantly reduces the risk of compromise.

For example, instead of: icantbelievewerestilltellingyouthis

Use: icantbelievewerestilltellingy0uthis (replacing "o" with "0")

Key Takeaway

This research reveals that password security remains a critical weak point in cybersecurity. While the technology and tools to protect accounts have advanced significantly, user behavior has not kept pace. The persistence of passwords like "123456" and "password" in 2025 demonstrates that convenience continues to outweigh security concerns for many users—a vulnerability that attackers actively exploit.

Organizations should prioritize implementing passwordless authentication methods like biometric passkeys or hardware security keys to remove the weakest link: human password selection.