The tech information platform Comparitech has revealed in its latest research that the password 123456 will continue to be the most commonly used password in 2025. This reflects the ongoing need for greater cybersecurity awareness among global users. The research team analyzed over 2 billion real account passwords collected from data leak forums in 2025 and found that a significant number of users are still opting for dangerous password combinations.
In June 2025, the world was rocked by an unprecedented password leak crisis, with a massive breach involving 16 billion sets of passwords—marking it as the second largest password leak in history, surpassed only by the record-breaking leak of 26 billion records in 2024.
The report indicates that the top ten most common passwords include 123456, 12345678, 123456789, admin, 1234, Aa123456, 12345, password, 123, and 1234567890. Among these, 123456 has been used a staggering 7.6 million times, significantly outpacing the other passwords. Notably, the game minecraft ranks 100th in password usage, appearing nearly 70,000 times, while the uppercase version of Minecraft has also seen close to 20,000 usages.
According to Verizon's 2025 Data Breach Investigations Report, only 3% of passwords globally meet the complexity requirements set by the National Institute of Standards and Technology (NIST), highlighting the urgent need for better password security. Another data analysis revealed that the password admin was compromised 53 million times in previous leaks, while password reached 56 million occurrences, indicating a significant lack of awareness regarding security measures among both businesses and individuals.
The analysis results also indicate that among the top 1,000 most commonly used passwords, a quarter are composed entirely of digits, while as many as 38.6% of passwords contain the numeric string 123. Correspondingly, 3.1% of passwords include the letter string abc. Many prevalent passwords consist only of repeated characters, such as 111111 ranking in 18th place, and **** coming in at 35th.
Common words and phrases also pose significant security risks. Among the 1,000 most popular passwords, 3.9% contain pass or its variants, while 2.7% include variations of admin. These easily guessable combinations allow hackers to easily breach account protections.
Experts generally recommend that passwords should be at least 12 characters long to significantly reduce the risk of being hacked. However, studies show that currently, 65.8% of passwords are shorter than 12 characters, and 6.9% of passwords are even less than 8 characters long. For instance, the password ranked 9th, 123, contains only 3 characters, while the 5th ranked 1234 has just 4 characters.
Additional research data further underscores the severity of the issue, revealing that 88% of compromised passwords are fewer than 12 characters long, while 81% of corporate hacking incidents stem from weak or reused passwords. Even more concerning is that 94% of users tend to reuse the same password across multiple accounts, significantly increasing the risk of credential stuffing attacks.
Nowadays, password-cracking technology can easily break weak passwords, while common simple passwords are often predictable. In contrast, strong passwords are nearly impossible to crack. Experts recommend that a strong password should contain at least 12 characters and combine uppercase and lowercase letters, numbers, and symbols to avoid recognizable patterns and enhance security.
However, password strength isn’t the only requirement; each password should be unique to prevent credential stuffing attacks. Users should enable two-factor authentication whenever possible, as it can effectively safeguard accounts even if passwords are compromised. Research shows that nearly 49% of data breaches involve compromised passwords, highlighting the crucial need to enhance password security.
In terms of the industry, there is currently a push for passwordless authentication solutions. Major players like Apple, Google, and Microsoft have begun to support Passkeys technology, which uses cryptographic keys to replace traditional passwords. By 2025, it's anticipated that 61% of organizations will shift to passwordless solutions, with 87% of IT leaders expressing strong willingness to make the change. The global passwordless authentication market is projected to reach $22 billion (approximately HKD 171.6 billion) by 2025, and is expected to grow to nearly $90 billion (about HKD 702 billion) over the next decade. However, before passwordless authentication becomes mainstream, adhering to the best practices of password security will remain crucial.
The Comparitech research team collected over 2 billion sets of account credentials from Telegram and other data leak forums. To ensure the reliability of the data, researchers cross-checked it against leak reports published by various organizations and consulted data publishers to verify the year of the data. All included data has been anonymized to remove any identifiable personal information and cleaned of anomalies. Ultimately, the most commonly used passwords were ranked based on their frequency of occurrence.
