Seven years since our first top 200 common passwords list, we’ve witnessed how credential trends have changed — and what has remained the same. Each year, we rediscover people’s tendency to opt for weak passwords that prioritize convenience over security.
However, this year, we decided to ask ourselves: How do different generations treat their password use? From the silent generation to the “zoomers,” we analyzed which passwords are the most common among different user groups. As it turns out, bad password habits are trendy no matter how old you are.
It’s very valid. The password dumps they’re analyzing aren’t based on attackers brute-force, they’re based on attackers breaching sites’ backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.
Sort this list by year, and you can see there’s tens of millions of leaked passwords in 2025 alone: https://haveibeenpwned.com/PwnedWebsites
That makes sense, thank you.