If you rely on any of the passwords included on the list below — change it immediately. Without strong protection, hackers could break into your online account in a matter of seconds.
Despite years of warnings, millions of us still rely on lacklustre passwords to keep our accounts safe. From saving accounts to email inboxes, social media posts to photo libraries, there’s a lot of private data that could be accessed if someone gets their hands on your password.
Despite a steady stream of news stories about high-profile data breaches and hacks, the common passwords in 2025 can still be cracked in under a second, leaving personal information vulnerable to cybercriminals. It comes as new research found that over 40 million Britons use the same password across multiple accounts.
Switch to 1Password for FREE
The award-winning 1Password is designed to generate and store unguessable passwords, passkeys, credit card numbers, national insurance numbers, and much more. This encrypted vault is available across all of your favourite devices, including iPhone and Android, Windows and Mac computers, iPad and other tablets. Its built-in WatchTower feature evaluates password strength and warns about data breaches that impact you. 1Password is currently free to test for 14 days with no obligation to subscribe
1Password
After analysing 15 billion passwords from data breaches, the team at CyberNews has published the definitive list of the most common passwords in 2025, which should all be avoided at all costs:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
According to the investigations team at CyberNews, these insecure passwords appear millions of times in leaked databases and have been involved in countless data breaches. As such, if you recognise any of these as your own, you should change them immediately.
Even slight variations of the above passwords can now be easily guessed using automated tools.
As part of their investigation, CyberNews anonymised the data and detached passwords from the email addresses and usernames, which also appeared in the original data breaches, to examine them in isolation, identifying the most popular patterns people use.
In total, they analysed 15,212,645,925 passwords, of which just 2,217,015,490 were unique.
The research revealed interesting patterns about how people create passwords, including their favourite sports teams, cities, food, and even curse words.
The alarming reality is that most people use passwords between 8-10 characters (42%), with eight being the most popular length despite security experts recommending at least 12 characters.
Almost a third (27%) of passwords analysed consist of only lowercase letters and digits, making them highly vulnerable to brute-force attacks. For those who don’t know, a brute-force attack is a method used to crack passwords by systematically trying every possible combination until the correct one is found. It involves automated software that rapidly generates guesses, making it effective against weak or short passwords.
Passwords with 8 characters are the most popular, according to CyberNews. This is often the minimum requirement to setup an online account
CYBERNEWS PRESS OFFICE
While time-consuming and resource-intensive, brute-forcing is still relatively common, especially since it’s effective against poorly protected accounts. Strong, complex passwords and two-factor authentication all work to protect online accounts against this method.
According to McAfee, Britons have an average of 47 online accounts, with potentially vulnerable passwords exposing users to increased cybersecurity risks. Most passwords can be cracked in under a second, with researchers finding that 78% of common passwords are now crackable in this timeframe.
Weak passwords have led to numerous security breaches over the past year, including the Snowflake breaches and the SOCRadar.io leak, which poured billions of passwords into cybercriminals’ hands.
“Password theft remains a popular means of attack for cybercriminals and once the information has been recovered, it can circulate freely online or be sold to other malicious actors,” warns McAfee.
Attackers use automated tools to test vast volumes of leaked credentials across multiple platforms.
Even with a seemingly low success rate of 0.2% to 2.0%, these attacks yield thousands of compromised accounts when millions of credentials are tested.
Researchers scoured gigabytes of leaked data to put together the list of the most commonly used passwords worldwide GETTY IMAGES
According to enterprise security firm Enzoic, weak passwords were responsible for 30% of ransomware infections worldwide. Ina blog post, the US firm explains: “Criminals know quite a few methods to steal your credentials, from dictionary attacks to password spraying.
“And weak passwords are the driving force behind the success of these attacks.
“When users create passwords that hackers have already exposed in previous data breaches or with common words, combinations, and phrases, threat actors can use relatively easy methods like credential stuffing and password spraying to crack an account. It’s a numbers game that favors the assailant.”
So, what can you do?
Security experts recommend a few steps to help shield against this type of attack. Nobody can recall dozens of unique alphanumeric passwords without help, and that’s where password managers come in.
These popular applications can generate super-secure passwords for every account, storing them in an encrypted safe that can be accessed from any of your devices. To log in, most of these applications only require a quick biometric check – facial recognition on the iPhone or a fingerprint scan on Windows PCs and Android.
When it’s time to login to your account, the password managers can autofill all of the details with a tap. Many of the most popular options also have systems that monitor ongoing data breaches — warning if any of the websites or mobile apps that you use have been attacked by criminals. If the worst happens and your details are compromised, you can rest easy knowing that none of your other accounts share the same password.
It’s critical to never reuse passwords across different accounts, as this creates a dangerous domino effect if one is compromised.
Experts recommend using a password that’s at least 12 characters long, includes uppercase and lowercase letters, numbers, and special symbols. Avoid using recognisable words, names, sequences, or patterns that could be easily guessed.
Password managers, like NordPass pictured above, can generate unique secure passwords for every account and store them in an encrypted vault that can be accessed with a fingerprint or facial scan
NORDPASS PRESS OFFICE
Outside of the password itself, enable multi-factor authentication wherever possible to add an extra layer of security. This sends a one-time passcode to an email account or mobile phone. Even if hackers get their hands on your username and password, this will prevent them from logging into your account.
Finally, consider using passkeys where available, as major providers like Google, Microsoft, and Apple support this alternative. These allow you to sign in to apps, websites, and other online accounts in the same manner that you unlock your device – using a fingerprint, a face, or an on-screen PIN.
Explaining the advantages of using a passkey over a traditional password in an FAQ on its website, Microsoft writes: “Passkeys are the future of authentication, and for good reason!
“They’re incredibly easy to use and intuitive, eliminating the need for complicated password creation processes and the hassle of remembering them. Plus, they’re unique to each website or application, so you don’t have to worry about someone using your passkey to access other services.
“And unlike passwords, passkeys are resistant to phishing attempts, making them a much more secure option. Best of all, you can use your passkey across all your devices, so you never have to worry about forgetting your password again!”
“The widespread use of insecure passwords represents a serious threat,” says Neringa Macijauskaitė, information security researcher at Cybernews. “Each reused or weak password represents a potential entry point for attackers.”
World Password Day offers the perfect opportunity to review your digital security. Take a few minutes today to update your vulnerable passwords and implement stronger security practices.
Your online safety depends on it.
