Seven years since our first top 200 common passwords list, we’ve witnessed how credential trends have changed — and what has remained the same. Each year, we rediscover people’s tendency to opt for weak passwords that prioritize convenience over security.
However, this year, we decided to ask ourselves: How do different generations treat their password use? From the silent generation to the “zoomers,” we analyzed which passwords are the most common among different user groups. As it turns out, bad password habits are trendy no matter how old you are.
Long passwords are more secure which is why I chose PasswordAdminQwertyAbcdefg1234567890987654321
For the longest time the admin password for the router at work was
PasswordReset.124, the useless penetration testers didn’t even pick up on it.I’ve changed it to something actually random and then, following established industry standard security practises, somebody else has gone and written it on a post-it note, and stuck it to the router. So we’re all fine now.
I’m extremely tempted to “hack” the network and bring it down only to be the hero that brings it back up after a few hours of non-productivity. But I feel like if they found out that might be a firing offence.
Especially now that you committed it to this federated website.
Thankfully my password, hunter2, isn’t in there.
Why would a string of * be in there?
Good news everyone ! “top 200 most common passwords” isn’t in the list, so we can keep using that one !
There was a post on here a while ago about the most popular four digit PIN numbers. I think the top five were
1234
7890
1212
1111
And 1701We’re are all so original
Kinda hard to be original with four digit PINs. Of course there’s some worse choices than others, but 9999 possible combinations really limit creativity.
Am I unreasonably disappointed to not find “Correct Horse Battery Staple” - or some variation thereof - in that list?
Always make sure to pick a popular password people, you don’t want your hacker to think you are a special snowflake.
Can’t run the risk of being fingerprinted, privacy and anonymity first!
P@ssw0rd is ahead of Password. Times they are a changin
It’ll just be that a lot of password systems insist on a number in a special character.
I know a couple of people who think they are clever for these kinds of substitutions, I can probably use this fact on them. Not sure they will change their ways after, they kinda oppose any change.
Most places force you to put a number and a special character in there now, the number of places you can get away with just a word for a password is dwindling
Looking at the different countries is also funny. The only password I’m not surprised about is
admin, because that’s probably the default for most devices maybe? Unless user changes it manually.But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?
But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?
No, that’s not how these are obtained. Password dumps are from attackers breaching a site’s user database and dumping their credentials, usually by phishing administrators’ logins. Attackers are brute-forcing passwords anymore except on a one-off, very rare basis. Here’s a list of publicly-known password dumps, and you can see details about where they came from: https://haveibeenpwned.com/PwnedWebsites
Ah right, that makes sense. I know that site, but didn’t think of. I know not the smartes in the town.^^
I also wonder if people do more secure passwords for important services. Or do they treat it the same? My parents always used their birthday as password, so they do not forget it. Which not much more secure than 1234.
I also wonder if people do more secure passwords for important services.
In my experience, most people have at most 2-3 passwords, and some do choose a “more secure” one for things like banking and work. Very few people use a password manager.
Thankfully this isn’t allowed for new devices being sold in the EU anymore. They are required to have a per-device individual password now. Hopefully this effectively causes the practice to at least become much less common globally. After all, if you’ve setup the needed manufacturing steps, there’s little sense in skipping them depending on a target region.
You didn’t fill in the survey when the password inspector sent you that email? Rude!
Top 3 are still the same from previous years
- 12345
- 123456
- 12345678
It’s official: “123456” has once again claimed the controversial title of the world’s most common password — and one of the weakest. That marks six out of seven years this password has topped our chart
Your top list is for Gen Z’s where #1 is "12345, combining for everyone #1 is 123456.
Except among Zoomers, with whom the most common password is 67
How can I get to Sesame Street?
theworldinyourhand
Really? is that from something?
…a super prolific autistic account hoarder ?
12345
That’s amazing. I’ve got the same combination on my luggage!
All I see is *****
Methodology
The Top 200 Most Common Passwords report is the result of a joint effort between NordPass and NordStellar, prepared in collaboration with independent researchers specializing in cybersecurity incidents. Recent public data breaches and dark web repositories were analyzed from September 2024 to September 2025 to identify statistically aggregated data. No personal data was acquired or purchased for this research.
Okay, so how valid is this really if they’re only using those passwords that were hacked?
It’s very valid. The password dumps they’re analyzing aren’t based on attackers brute-force, they’re based on attackers breaching sites’ backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.
Sort this list by year, and you can see there’s tens of millions of leaked passwords in 2025 alone: https://haveibeenpwned.com/PwnedWebsites
That makes sense, thank you.
Damn, doesn’t load for me :/
do they account for the circumstances?
most public wifi login pages get: u: abc@def.com p: qwerty
from me.
I assume those types of services get breached all the time and no one cares. I think they just want plausible deniability on acceptable use of the wifi.
