Seven years since our first top 200 common passwords list, we’ve witnessed how credential trends have changed — and what has remained the same. Each year, we rediscover people’s tendency to opt for weak passwords that prioritize convenience over security.
However, this year, we decided to ask ourselves: How do different generations treat their password use? From the silent generation to the “zoomers,” we analyzed which passwords are the most common among different user groups. As it turns out, bad password habits are trendy no matter how old you are.
You must log in or register to comment.
Am I unreasonably disappointed to not find “Correct Horse Battery Staple” - or some variation thereof - in that list?
Always make sure to pick a popular password people, you don’t want your hacker to think you are a special snowflake.
Can’t run the risk of being fingerprinted, privacy and anonymity first!
Methodology
The Top 200 Most Common Passwords report is the result of a joint effort between NordPass and NordStellar, prepared in collaboration with independent researchers specializing in cybersecurity incidents. Recent public data breaches and dark web repositories were analyzed from September 2024 to September 2025 to identify statistically aggregated data. No personal data was acquired or purchased for this research.
Okay, so how valid is this really if they’re only using those passwords that were hacked?
It’s very valid. The password dumps they’re analyzing aren’t based on attackers brute-force, they’re based on attackers breaching sites’ backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.
Sort this list by year, and you can see there’s tens of millions of leaked passwords in 2025 alone: https://haveibeenpwned.com/PwnedWebsites
That makes sense, thank you.
Looking at the different countries is also funny. The only password I’m not surprised about is
admin, because that’s probably the default for most devices maybe? Unless user changes it manually.But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?
But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?
No, that’s not how these are obtained. Password dumps are from attackers breaching a site’s user database and dumping their credentials, usually by phishing administrators’ logins. Attackers are brute-forcing passwords anymore except on a one-off, very rare basis. Here’s a list of publicly-known password dumps, and you can see details about where they came from: https://haveibeenpwned.com/PwnedWebsites
Ah right, that makes sense. I know that site, but didn’t think of. I know not the smartes in the town.^^
I also wonder if people do more secure passwords for important services. Or do they treat it the same? My parents always used their birthday as password, so they do not forget it. Which not much more secure than 1234.
Thankfully this isn’t allowed for new devices being sold in the EU anymore. They are required to have a per-device individual password now. Hopefully this effectively causes the practice to at least become much less common globally. After all, if you’ve setup the needed manufacturing steps, there’s little sense in skipping them depending on a target region.
You didn’t fill in the survey when the password inspector sent you that email? Rude!
Top 3 are still the same from previous years
- 12345
- 123456
- 12345678
It’s official: “123456” has once again claimed the controversial title of the world’s most common password — and one of the weakest. That marks six out of seven years this password has topped our chart
How can I get to Sesame Street?
P@ssw0rd is ahead of Password. Times they are a changin
Most places force you to put a number and a special character in there now, the number of places you can get away with just a word for a password is dwindling
12345
That’s amazing. I’ve got the same combination on my luggage!
All I see is *****
do they account for the circumstances?
most public wifi login pages get: u: [email protected] p: qwerty
from me.
I assume those types of services get breached all the time and no one cares. I think they just want plausible deniability on acceptable use of the wifi.
Damn, doesn’t load for me :/
