Even in 2025 — a time when artificial intelligence can compose symphonies, detect deepfakes, and predict cyberattacks — humans continue to lag behind when it comes to passwords. A new study by cybersecurity firm Comparitech reveals that the internet’s favorite passwords haven’t evolved much in a decade, with “123456,” “admin,” and “password” still topping the global charts.
The report analyzed over two billion real passwords leaked on data breach forums this year, exposing a worrying trend: despite soaring cybercrime and repeated awareness campaigns, millions still rely on credentials that hackers can crack in seconds.
According to Comparitech, nearly one in four of the top 1,000 passwords is made up purely of numbers, while 38.6 percent contain “123” and 2 percent use “321.” Alphabetical runs like “abc” appear in over 3 percent of all leaked credentials. Predictable classics such as “111111,” “1234,” “password,” “admin,” and “qwerty” continue to dominate, joined by friendly words like “welcome.” Even gamers are guilty — “minecraft” ranked as the 100th most common password, appearing nearly 70,000 times.
The study also found a regional twist: “India@123” ranked 53rd globally, proving that adding a local touch doesn’t make a password more secure.
Short passwords remain the biggest weak spot. Almost two-thirds of all leaked passwords had fewer than 12 characters, and many under eight. The ninth-most common, “123,” is just three digits long. “Short passwords fall the fastest,” the report warns, noting that modern cracking tools can make billions of guesses per second.
Weak passwords don’t just endanger single accounts. Once hackers obtain one leaked credential, they reuse it across multiple platforms — a tactic known as credential stuffing. This means that a single “123456” could potentially unlock someone’s email, banking, and streaming accounts all at once.
Comparitech’s researchers urge users to adopt stronger habits: use passwords at least 12 characters long, combining upper and lowercase letters, numbers, and symbols. Each account should have its own unique password, and adding two-factor authentication (2FA) remains one of the simplest and most effective defenses.
The firm built its 2025 dataset by aggregating leaked credentials from Telegram channels and dark web forums, verifying their authenticity and removing personal data before analysis.
The takeaway, though familiar, is sobering: while hackers keep evolving, most users haven’t changed at all. If your password still includes “123,” experts say, it’s well past time for an upgrade.
