Once again, data shows an uncomfortable truth: the habit of choosing eminently hackable passwords is alive and well
‘123456’ continues to reign supreme as the most commonly-used password among people across the world, according to two reports, from NordPass and Comparitech, respectively. A full 25 percent of the top 1,000 most-used passwords are made up of nothing but numerals.
In addition, ‘123456’ appealed to people of various age cohorts, as it was the most-favored option among millennials, Generation X and baby boomers alike, and the second most-popular option among Generation Z and the Silent Generation (after ‘12345’). This is according to NordPass’ analysis, which is based on billions of leaked passwords and sheds light on password trends among people in 44 countries.
Another all-too-predictable choice, ‘admin’, trailed close behind, with ‘12345678’, ‘123456789’ and ‘12345’ coming next, as many people clearly continue to favor convenience, putting their personal data, money and possibly reputations at risk.
In the US and the UK, the overall picture was just as grim, with ‘admin’ taking the top spot in both countries. In the US, the one and only ‘password’ and ‘123456’ took the second and third spots, respectively; in the UK, the two just swapped places.
Much the same picture is painted by Comparitech’s research into two billion real account passwords leaked on data breach forums in 2025, as it had ‘123456’, ‘12345678’ and ‘123456789’ atop its list.
Same old, same old
Using an easily-guessable password is tantamount to locking the front door of your house with a paper latch. It offers no actual resistance, and attackers can use brute-force or credential stuffing techniques that allow them to make quick work of such weak or reused passwords at scale.
It goes without saying, therefore, that if your password made it among those most common password choices, you would be very well advised to change it immediately. Use a strong and unique password or passphrase for each account and ideally, store them in a reputable password manager.
No matter how stubborn, however, a password is still only a single barrier between your account and a hacker. That’s why two-factor authentication (2FA) as an extra layer of security is a non-negotiable line of defense these days, particularly for accounts that contain Personally Identifiable Information (PII) or other important data.
The risks rise sharply in corporate environments. Weak, obvious, or reused passwords can expose not only individual employees, but entire organizations, their customers, and their partners. Indeed, in many cases, the initial point of entry is neither sophisticated nor novel; instead, it’s simply a password that should never have been trusted in the first place. The consequences, meanwhile, are rarely trivial and span financial loss, operational disruption, regulatory scrutiny, and long-term reputational damage. Which is why companies need a combination of technical safeguards and ongoing security awareness training programs for employees.
Meanwhile, the technical barriers for ne’er-do-wells have never been lower. Modern tools can test countless combinations of login credentials in minutes, so the odds are firmly stacked in the attacker’s favor. Plus, in the digital ecosystem built on interconnected services and shared identities, the damage stemming from one account takeover is unlikely to stay contained for long.
Also, passkeys are rapidly becoming commonplace, and many major platforms, including Apple, Google, and Amazon, now offer them as a primary login method.
You might have had many New Year’s resolutions heading into 2026. But if your own passwords appear on either list above, improving your account security should be one of the most important of them.
