Redazione RHC : 8 November 2025 08:23
In 2025, users still rely heavily on basic passwords to protect their accounts. A Comparitech study, based on an analysis of over 2 billion real passwords leaked to data breach forums over the course of a year, found that the most common passwords have remained unchanged for many years: ” 123456 ,” ” admin ,” and ” password ” remain the top choices.
The company’s analysts have compiled a list of the 100 most common passwords. The top ten is dominated by familiar numerical sequences: ” 123456 “, ” 12345678 “, ” 123456789 “, followed by “admin”, “1234”, “Aa123456”, “12345”, “password”, “123”, and “1234567890”.
The most popular variant, ” 123456 “, has appeared in the database over 7.6 million times, while “minecraft,” ranked 100th, has appeared about 70,000 times, not counting the 20,000 capitalized “Passwords.”
About a quarter of the 1,000 most common passwords are made up entirely of numbers. Nearly 39% include the sequence “123,” and another 2% use the reverse combination “321.” The string “abc” appears in 3.1% of cases. Among minimalist passwords, ” 111111 ” (18th place) and even “********” (35th) stand out.
Nearly 4% of all popular combinations contain the words ” pass ” or ” password ,” 2.7% contain “admin,” 1.6% contain ” qwerty, ” and 1% contain ” welcome .”
The report found that among the nationally relevant examples, the password ” India@123 ” stood out, ranking 53rd in frequency. According to the researchers, these combinations, while less stereotypical, are still easy to guess.
When examining password length, experts noticed a worrying trend: 65.8% of combinations contain fewer than 12 characters, 6.9% are shorter than eight, and only 3.2% are longer than 16 characters . Meanwhile, the ninth most popular password, ” 123 ,” is just three digits long, and the fifth most popular, ” 1234 ,” contains four.
Chart: Most Common Passwords by Length (Comparitech)
The study’s authors emphasize that modern hacking tools can crack weak passwords in seconds. Short passwords are easily cracked by brute-force attacks, and reusing the same password on different websites makes accounts vulnerable to brute-force attacks using stolen credentials.
A strong password is considered to be at least twelve characters long, with a combination of lowercase and uppercase letters, numbers, and special characters . It should also be as random as possible and contain no recognizable patterns. Two-factor authentication offers additional protection, preventing hacking even if the password is compromised.
The research methodology is based on the collection of datasets leaked from forums and Telegram channels. To ensure the material was up-to-date, the researchers compared the data with publicly available leak reports or verified the date of the cyberattack with the authors of the publications.
Only confirmed posts dating back to 2025 were included in the analysis , with all personal information anonymized. The ranking was based on the number of occurrences of each unique combination in the cleaned database.
Redazione