General Tech

Are You Using The Most Hacked Password In 2025

The most hacked passwords globally Include's "123456" which topped the list for the fifth consecutive year, appearing in over 4.5 million breached accounts. Following closely behind are "password" (used by 1.6 million accounts), "123456789" (1.4 million accounts), and "guest" (1.3 million accounts)

Matthew Giannelis
Matthew Giannelis

So, published for your entertainment – and hopefully for some of you, education, here are the top 20 most used passwords. Also included is a small sample of popular breached passwords from the rest of the list:

Contents

The 20 Most Used Passwords

  • 123456 (23.2m)
  • 123456789 (7.7m)
  • qwerty (3.8m)
  • password (3.6m)
  • 1111111 (3.1m)
  • 12345678 (2.9m)
  • abc123 (2.8m)
  • 1234567 (2.5m)
  • password1 (2.4m)
  • 12345 (2.3m)
  • 1234567890 (2.2m)
  • 123123 (2.2 m)
  • 000000 (1.9m)
  • Iloveyou (1.6m)
  • 1234 (1.3m)
  • 1q2w3e4r5t (1.2m)
  • Qwertyuiop (1.1m)
  • 123 (1.02m)
  • Monkey (980, 209)
  • Dragon (968,625)

Top 5 names

  • ashley (432,276)
  • michael (425,291)
  • daniel (368,227)
  • jessica (324,125)
  • charlie (308,939)

Top 5 football teams

  • liverpool (280,723)
  • chelsea (216,677)
  • arsenal (179,095)
  • manutd (59,440)
  • everton (46,619)

Top 5 musicians

  • blink182 (285,706)
  • 50cent (191,153)
  • eminem (167,983)
  • metallica (140,841)
  • slipknot (140,833)

Top five fictional characters

  • superman (333,139)
  • naruto (242,749)
  • tigger (237,290)
  • pokemon (226,947)
  • batman (203,116)

List of the best free Anti-Virus products.

  • Avast Free Antivirus.
  • AVG AntiVirus FREE.
  • Avira Antivirus.
  • Bitdefender Antivirus Free.
  • Kaspersky Security Cloud – Free.
  • Microsoft Defender Antivirus.
  • Sophos Home Free.

List of the best paid antivirus software in order.

  1. Bitdefender Antivirus Plus 2020.
  2. Norton Antivirus Plus. …
  3. Kaspersky AntiVirus. …
  4. F-Secure Antivirus SAFE. …
  5. Comodo Windows Antivirus.

Password security has never been more critical. Yet despite decades of warnings from cybersecurity experts, millions of people continue to use passwords that can be cracked in seconds.

Recent data breaches and security analyses reveal a troubling pattern: the same weak passwords appear repeatedly across major hacks, putting users at extraordinary risk.

The Scale of the Problem

According to the latest analysis from cybersecurity firm NordPass, which examined over 4.3 terabytes of data from publicly available sources including data breaches, the most common passwords remain shockingly predictable.

Their 2024 study revealed that the top 10 most common passwords could be cracked in under one second using modern computing power.

The numbers are staggering. “123456” topped the list for the fifth consecutive year, appearing in over 4.5 million breached accounts.

Following closely behind are “password” (used by 1.6 million accounts), “123456789” (1.4 million accounts), and “guest” (1.3 million accounts). These four passwords alone account for nearly 9 million compromised accounts in the dataset analyzed.

The Anatomy of Weak Passwords

The most hacked passwords share several dangerous characteristics that make them prime targets for cybercriminals:

Sequential patterns dominate the list. Beyond “123456,” variations like “12345678,” “1234567890,” and “123123” appear frequently. These patterns are among the first combinations attempted in brute-force attacks because they’re so predictable.

Common dictionary words represent another major vulnerability. “Password,” “admin,” “login,” and “welcome” are not just popular choices—they’re sitting ducks for dictionary attacks, where automated systems rapidly test common words and phrases.

Keyboard patterns also feature prominently. “qwerty,” “asdf,” and “zxcvbn” might seem clever to users who think they’re outsmarting the system, but these patterns are well-known to hackers and appear in every basic password-cracking toolkit.

Cultural references round out the most vulnerable categories. “pokemon,” “naruto,” and “dragon” regularly appear in breach datasets, as do sports teams, popular names, and movie titles. While these might feel personal and secure to users, they’re actually highly predictable based on cultural trends.

The Speed of Modern Password Cracking

Understanding just how quickly these passwords can be broken is crucial for grasping the magnitude of the risk. Using current hardware and software capabilities, cybersecurity researchers have demonstrated that:

  • Simple numeric sequences (like “123456”) can be cracked in under 0.1 seconds
  • Common dictionary words take an average of 0.3 seconds
  • Keyboard patterns require approximately 0.5 seconds
  • Even slightly more complex passwords using common substitutions (like “P@ssw0rd”) can be broken in under 10 minutes

These timeframes assume attackers have access to hashed passwords from a data breach. In live attacks against login systems, other factors come into play, but the fundamental vulnerability remains the same: predictable passwords offer virtually no protection against determined attackers.

Geographic and Demographic Patterns

The data reveals fascinating regional differences in password habits. While “123456” dominates globally, certain countries show distinct preferences:

In the United States, “password” ranks second, followed by “123456789” and “12345678.” American users also show a higher tendency to use sports-related passwords, with “football” and “baseball” appearing frequently.

European users demonstrate slightly better password practices overall, but still rely heavily on keyboard patterns. “qwerty” appears more frequently in European datasets, while “azerty” is common in French-speaking regions.

Asian markets show interesting cultural variations. In China, “123456” remains dominant, but “111111” and “000000” also rank highly. Japanese users frequently incorporate “sakura” and other culturally significant terms.

Age demographics also play a significant role. Users over 50 are more likely to use dictionary words and personal information, while younger users gravitate toward pop culture references and gaming terms. However, both groups struggle with the same fundamental issue: choosing predictable passwords.

The Psychology Behind Poor Password Choices

Why do people consistently choose such vulnerable passwords? Cybersecurity researchers have identified several psychological factors:

Cognitive load plays a major role. Managing dozens of unique, complex passwords exceeds most people’s mental capacity, leading them to default to simple, memorable patterns.

Optimism bias causes users to believe “it won’t happen to me.” Despite regular news coverage of data breaches, many people underestimate their personal risk.

Security fatigue results from the constant barrage of security warnings and requirements. Overwhelmed users often choose convenience over security.

Lack of understanding about how password attacks work leads to false confidence in weak passwords. Many users believe that adding a number or symbol to “password” makes it secure, not realizing that “password123” is still cracked in seconds.

The Real-World Impact

The consequences of weak passwords extend far beyond individual inconvenience. The 2024 IBM Cost of a Data Breach Report found that organizations suffer an average of $4.45 million in damages per breach, with compromised credentials being the leading cause of breaches (16% of all incidents).

For individuals, the impact can be devastating. Identity theft, financial fraud, and account takeovers often begin with a single compromised password. The average victim of identity theft spends 200 hours and $1,400 resolving the aftermath.

Consider the case of a major healthcare provider breach in 2023, where attackers gained access to 3.3 million patient records. The initial entry point was traced to an employee account protected by the password “admin123.” This single weak password led to HIPAA violations, regulatory fines exceeding $2 million, and immeasurable damage to patient trust.

Industry-Specific Vulnerabilities

Different industries show varying patterns of password weakness:

Healthcare consistently ranks among the worst for password security. Medical professionals, focused on patient care rather than cybersecurity, often use predictable passwords like “medical123” or “doctor.” The urgency of healthcare environments also leads to password sharing and simplified access controls.

Education faces unique challenges with a mix of tech-savvy students and less technical staff. Common passwords in educational breaches include “student,” “school,” and variations of institution names.

Financial services, despite regulatory requirements, still see concerning patterns. While banks implement stronger controls, smaller financial institutions and credit unions often struggle with basic password hygiene.

Government agencies show improvement over time but remain vulnerable. Public sector breaches often involve passwords like “government,” “admin,” and predictable variations of department names.

The Evolution of Password Attacks

Modern password attacks have evolved far beyond simple guessing. Today’s cybercriminals employ sophisticated techniques:

Credential stuffing attacks use previously breached username/password combinations to test access across multiple sites. Since users often reuse passwords, these attacks succeed at alarming rates.

Hybrid attacks combine dictionary words with common substitutions and additions. These attacks quickly defeat passwords like “Password123!” that users believe are secure.

AI-powered attacks use machine learning to predict password patterns based on personal information gleaned from social media and other sources. These systems can generate highly targeted password lists that dramatically increase success rates.

Rainbow tables provide pre-computed hashes for millions of common passwords, allowing instant cracking of many weak passwords without the need for brute-force computation.

Building Better Password Habits

Creating secure passwords requires understanding both what makes passwords vulnerable and what makes them strong. Security experts recommend several strategies:

Length over complexity has become the new paradigm. A 15-character password using only lowercase letters is significantly stronger than an 8-character password with mixed case, numbers, and symbols.

Passphrases offer the best balance of security and usability. Four random words combined (like “correct horse battery staple”) create passwords that are both memorable and secure.

Unique passwords for every account prevent credential stuffing attacks. While challenging to manage manually, password managers make this approach practical.

Two-factor authentication provides crucial additional security even when passwords are compromised. This second layer of protection can prevent account takeovers even with stolen credentials.

The Password Manager Solution

Password managers have emerged as the most practical solution for the average user. These tools generate unique, complex passwords for every account and store them in an encrypted vault. Leading password managers like 1Password, Bitwarden, and LastPass (despite past security incidents) offer:

  • Automatic generation of strong passwords
  • Secure storage across devices
  • Automatic form filling
  • Security monitoring and breach alerts
  • Secure sharing capabilities

The adoption rate of password managers remains disappointingly low, with only 23% of users employing them according to recent surveys. This represents a massive missed opportunity for improved security.

Organisational Responsibilities

While individual users bear responsibility for their password choices, organizations must also play a role in promoting better security:

Password policies should encourage length over complexity and prohibit the most common weak passwords. However, overly restrictive policies can backfire by encouraging predictable patterns.

Security training must go beyond simple guidelines to help users understand the real risks and practical solutions. Regular, engaging education programs show measurably better results than one-time presentations.

Technical controls like multi-factor authentication, password complexity requirements, and breach monitoring can significantly reduce risk even when users make poor choices.

Password management tools provided by employers give users practical alternatives to weak passwords and should be considered essential security infrastructure.

The Future of Authentication

While passwords remain the dominant authentication method, the future points toward additional and alternative approaches:

Biometric authentication using fingerprints, facial recognition, and other biological markers offers improved security and convenience. However, biometric systems have their own vulnerabilities and privacy concerns.

Hardware tokens provide strong authentication but face adoption challenges due to cost and complexity. The growing adoption of WebAuthn and FIDO2 standards may address these limitations.

Behavioral analytics can detect unusual login patterns and flag potential account compromises even with correct passwords. This approach adds security without requiring user behavior changes.

Zero-trust architecture reduces reliance on passwords by implementing continuous authentication and authorization checks throughout user sessions.

Conclusion: The Password Paradox

The persistence of weak passwords in our digital age represents a fascinating paradox. Despite widespread awareness of cybersecurity risks, millions of people continue to use passwords that provide virtually no protection against modern attacks.

The most hacked passwords of 2024 are largely identical to those from 2014, suggesting that knowledge alone is insufficient to drive behavior change.

The solution requires a multi-faceted approach. Users must adopt better password practices, but technology must also evolve to make security more convenient and accessible.

Organisations need to implement both technical controls and education programs while working toward authentication systems that don’t rely solely on passwords.

The question “Are you using the most-hacked password?” should serve as more than a simple security check—it should prompt a fundamental evaluation of how we approach digital security in an increasingly connected world.

The data is clear: weak passwords represent an existential threat to personal and organizational security. The only question is whether we’ll act on this knowledge before the next major breach makes the decision for us.

ByMatthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article Middle classes losing out to ultra-rich
Next Article Explore how we live, fight and play in space
Most Hacked password

Tech Articles

E-Commerce Platforms

E-Commerce Platforms Valued at $6.2 Billion And Projected To Reach $14.7 Billion by 2030

The explosion of online shopping has transformed e commerce platforms…

Data Privacy 2025

The Data Privacy Paradox: Why Your Information Has Never Been More Vulnerable—Or More Valuable

The Data Privacy Paradox is clear: by the end of…

How Much Energy and Power Does the Internet Consume?

How Much Energy Does the Internet Consume?

In 2025, the internet is expected to consume a substantial…

Recent News