‘123456’ Tops List Again as World’s Most Common Password — Despite Years of Cybersecurity Warnings

“123456”, “password”, and other weak combinations remain the most widely used passwords in the world, according to the latest Top 200 Most Common Passwords report released by NordPass.

The annual report analysed billions of compromised credentials collected from global data breaches between September 2024 and September 2025. Despite growing awareness of cyber threats, the study found that users across all regions continue to rely on simple and highly predictable passwords.

Globally, “123456” held the number-one spot, followed by “123456789”, “password”, “12345”, and “qwerty”. NordPass said the ranking has barely shifted in recent years, underscoring a persistent global pattern of weak password hygiene.

Numeric strings, from “12345” to “1234567890”, dominated the top entries across multiple countries. Variants of the word “password”, such as “Password1”, “P@ssw0rd”, and “password123”, also remain widespread despite being easily cracked by automated hacking tools.

NordPass noted that generational trends contribute to the problem. Younger users, particularly Gen Z and Gen Y, tend to favour numeric sequences or internet-inspired phrases like “skibidi”, while older users more often incorporate first names or surnames into their passwords. These predictable structures make accounts vulnerable to both dictionary attacks and brute-force attempts.

The report also highlighted local patterns across regions. For example, in some countries, passwords using popular first names and cultural references continue to rank highly. In South Africa, “admin” surged dramatically from 20th place last year to become the country’s most used password, mirroring the global trend of increasing reliance on simple system-related words.

Cybersecurity analysts warn that these habits create a massive attack surface for criminals, who routinely exploit weak credentials to breach accounts, deploy ransomware, or steal personal information. Passwords such as “123456” can be cracked instantly, while slightly more complex variations offer only marginally better protection.

NordPass urged users worldwide to adopt safer practices by using long, unique passwords for each account, enabling multi-factor authentication, and relying on password managers to generate randomised credentials.

With cyberattacks rising globally, experts say weak passwords remain one of the simplest, and most preventable, security risks facing internet users today.