The Most Common Passwords in 2025

Nordpass annually publish a list of the 200 most common passwords in the world, based on research from 44 countries. In this blogpost we present this year’s results according to 2025 research and explain how hackers exploit the fact that many people make use of common passwords and/or reuse their own passwords across websites.

Maybe these passwords are being used by someone in your organisation? 

Table of contents

• The most common passwords in the world 
  • The 10 most common passwords globally 
  • General tendencies among the 200 most common passwords 
    • Simple and Predictable Patterns
    • The odd ones out
    • No generational gap?

• How hackers exploit weak passwords 
  • Password spraying
  • Credential stuffing

• How to improve your password security 

The most common passwords in the world

We won’t list all the 200 passwords here and call it a day, instead we will present the 10 most common passwords and give you a detailed overview of the general tendencies of the remaining list. If you are interested in reading the complete list, you can visit NordPass – where you can also compare passwords between countries. 

Without further ado, here are the 10 most common passwords of 2025.

The 10 most common passwords globally

The 10 most common (and worst) passwords were analyzed using aggregated data collected between September 2024 and September 2025, based on information from recent public data breaches and dark web sources.

1. 123456 (same as in 2024)

2. admin (in 2024: 123456789)

3. 12345678 (same as in 2024)

4. 123456789 (in 2024: password) 

5. 12345 (in 2024: qwerty123)

6. password (in 2024: qwerty1)

7. Aa123456 (in 2024: 111111)

8. 1234567890 (in 2024: 123123)

9. Pass@123 (in 2024: 1234567890)

10. admin123 (in 2024: 1234567)

This top 10 give us a taste of what the rest of the list has to offer. "123456" has been no. 1 on this list for the past six out of seven years, with "password" taking the top spot only once. 

Convenience clearly continues to outweigh security.

General tendencies among the 200 most common passwords 

When analysing the list, theres one pattern that really stands out. Approx. 90% of the passwords could be placed into the following category:

Simple and Predictable Patterns

Majority of the 200 passwords are different combinations of numbers and letters, with some lying next to each other on the keyboard. Besides the top 10, some of the most popular ones are: 

• 112233 (20th)
• Welcome123 (57th)
• 123456789a (60th)
• asdfghjkl (66th)
• q1w2e3r4 (100th)
• qwerty12345 (121st)
• test123 (131st)
• 111111111 (146th)

These passwords are easy to remember and type, and really highlight people's need for convenience.

The same goes for the use of special characters. They are usually placed either between letters and numbers or at the very end of the password:

• Pass@1234 (27th)
• Demo@123 (46th)
• 123456aA@ (79th)
• Password@1 (181st)

We are once again confirming the need for convenience. 

The odd ones out

Surprisingly, there're a few passwords on the list that break the usual pattern of simplicity. These passwords are more unique and often have something to do with either a country, an athlete or other unrelated personal or cultural references:

• Kapler123 (61)
• India@123 (70th)
• secret (76th)
• bismillah (107th)

• minecraft (123rd)

• pakistan (125th)
• theworldinyourhand (129th)

No generational gap?

There is a general social assumption that the younger generation is better with navigating IT. They are digital natives.

They grew up online so they understand the importance of cybersecurity better than anyone, right?

Wrong.

The password habits of an 18-year-old are extremely similar to those of an 80-year-old. The data shows that the same weak password patterns persist across five generations. The top 1 password is either, "123456", or "12345".

The myth of a "digital native" is now  debunked. Every generation struggles with improving their password quality.

How hackers exploit weak passwords  

The use of common and weak passwords can pose a significant security threat for both private individuals and organisations. According to Verizon’s 2023 Data Breach Investigation Report, 86% of security breaches involve the use of stolen credentials. Two common hacking techniques which exploit the fact that many people use weak passwords are password spraying and credential stuffing.

Password spraying

One of the methods hackers use to get unauthorized access to accounts and systems is password spraying. The reason why this type of attack is successful is because many people use common passwords. To execute a password spraying attack, the hackers need a list of usernames (e.g., email addresses) and a list of common passwords (e.g., the passwords mentioned earlier in this blogpost). After this they try one password (e.g., qwerty) against all the usernames on the list, before moving on to the next password. If the hackers tried many passwords against one account before moving on to the next account, they would risk being caught and denied access to the account due to too many failed login attempts. The hackers therefore avoid being caught by focusing on one password at a time over a longer period.

Credential stuffing 

Another common hacking technique is credential stuffing. According to LastPass’ Psychology of Passwords report from 2022, 62% of people always or mostly use the same password or a variation. This is exploited by hackers in a credential stuffing attack. Before such an attack, the hackers have gained access to a set of credentials through e.g., a data breach or a phishing attack. These credentials are then used to gain access to the victim’s accounts. 

Example of a credential stuffing attack: 

Let’s imagine that one of your co-workers fell victim to a phishing attack, and that the cybercriminals behind the attack now have access to your co-worker’s login information (username + password) for their private email account. Not only will the cybercriminals now have access to this account – they can also perform a credential stuffing attack by trying this username and password combination on other websites and systems as well. If your co-worker reuses his/her passwords across these websites, the cybercriminals might gain access to several of your co-worker’s accounts. This can in turn lead to identity theft and major financial loss. And, if your co-worker uses the same passwords for their private accounts as for their work accounts, the consequences could be significant for the company as well.

How to improve your password security  

Every day we log in to a number of websites and services which require a password. Over the years our passwords might become too many to remember. It is therefore easy to fall for the temptation of using simple passwords and reusing passwords across accounts. In fact, LastPass’ 2022 report shows that 62% of people who reuse passwords do so because they are afraid of forgetting them. But, as we have seen, such behaviour can be a great vulnerability for you and your company. Luckily, there are several tools and tips which can help you improve your password security! 

On our blog, you can read about: 

• How to create strong and unique passwords that are easy to remember 
• What a password manager is and how it can help you keep your passwords strong and safe 
• Why you should consider using two-factor-authentication  

If you are interested in increasing the password security in your organisation, you can check out our course about password security here. 

Awareness training can also be a great way to increase password security, as it helps the employees become more aware of their behaviour and creates a good cyber security culture in the organisation.