Researchers analyzing billions of leaked credentials this year found that users are still clinging to the same weak passwords that have circulated for over a decade. Despite countless warnings, words like “password” and simple number strings remain among the most used combinations online in 2025.
Comparitech’s team examined over two billion real account passwords exposed through data breaches across forums and Telegram channels. The results show a disappointing pattern: “123456” appeared more than 7.6 million times, securing the top spot yet again, followed by “12345678” with 3.6 million and “123456789” not far behind. Simple sequences such as “1234”, “12345”, and “1234567890” continued to dominate the global chart, while “admin” and “password” still ranked inside the top ten.
Beyond these predictable entries, some users added weak variations like “Pass@123”, “P@ssw0rd”, or “Aa123456”. Familiar terms such as “qwerty123”, “welcome”, and “minecraft” also surfaced repeatedly. The word “minecraft” alone appeared around 70,000 times, plus another 20,000 with different letter casing. Among the more regional results, “India@123” stood out, ranking 53rd among the most common passwords.
The data reveals deeper behavioral trends that haven’t shifted much over the years. One quarter of the top 1,000 passwords contained only numbers, while 38.6% featured the sequence “123” and 3.1% included “abc”. Short numeric strings still dominate because they’re easy to remember, yet they remain the easiest to crack. Most passwords analyzed were shorter than recommended: 65.8% had fewer than 12 characters, and 6.9% had fewer than 8. Only a small fraction (just above 3%) stretched to 16 characters or more.
Modern brute-force tools exploit that weakness instantly. According to strength estimates from Hive Systems, a password made only of numbers can be broken almost immediately. Add a mix of uppercase and lowercase letters, numbers, and symbols, and a 12-character password could take billions of years to decode. At 16 characters, the cracking time expands to astronomical scales. A 12-digit numeric password, on the other hand, may last only three months before falling to an automated attack, while a 16-digit number-only one might survive a couple of thousand years, proof that even length alone adds considerable resistance.
The recurring issue, however, is repetition. Many users recycle old logins or apply the same structure across multiple accounts. That habit fuels credential-stuffing attacks, where one leaked password can expose several services at once. Security experts continually advise creating unique passwords for every platform, but convenience still outweighs caution for most.
There are simple ways to fix this. A strong password should include at least 12 to 16 characters, mixing symbols and letters in no predictable order. Instead of inventing one manually, users can generate them automatically using free tools like Digital Information World’s Password Generator. This kind of randomness removes human bias and greatly limits exposure. Adding two-factor authentication further reduces the risk of account takeovers even when a password leaks.
The findings suggest that password hygiene in 2025 remains as careless as ever. Technology keeps evolving, yet human habits seem frozen in place. Until users prioritize security over simplicity, the same familiar strings (123456, admin, and password) will keep returning to the top of the world’s weakest password lists.
Notes: This post was edited/created using GenAI tools.
Read next: Website Loading Animations Work Best At Mid-Range Speeds, Research Finds
by Irfan Ahmad via Digital Information World
No comments:
Post a Comment