Worst Passwords of 2025: Another Year, The Same Password Crisis?
Read our annual roundup, which reveals the worst passwords of 2025, based on global research from NordPass and NordStellar. It examines how weak password habits persist across generations, why predictable sequences remain top offenders, and how false complexity tricks users into a false sense of security.
Written by human for humans
78% of the world’s most common passwords can be cracked in under one second. Despite countless warnings, data breaches, and headline-grabbing cyber attacks, millions of people worldwide still use login credentials that could be guessed by a child.
This blog post is part of our annual roundup of the worst password offenders, based on NordPass’s latest research, compiled in collaboration with NordStellar, which includes global data, methodology, and generational insights. The findings confirm what security professionals have been saying for years: users continue to prioritise convenience over safety — even though this no longer needs to be a choice, thanks to secure tools like password managers.
The list comes from NordPass’s seventh annual “Top 200 Most Common Passwords”. For 2025, the report expands beyond personal passwords: it now includes a set of the most common corporate passwords, showing that weak password habits are not just a personal issue - but often systematic risk in organisational settings. The data is aggregated from a large corpus of real-world exposures: publicly available leaked password databases — including those from major data breaches.
Sign up. Protect your sensitive data with Koofr.
But this year's list brings a twist. For the first time, the data goes deeper into how different generations choose passwords, from the Silent Generation to Gen Z. The verdict? Everyone is guilty — but not in the same way.
[Screenshot taken from NordPass's website: https://nordpass.com/most-common-passwords-list/]
The Global Hall of Shame: 2025 vs. 2024
Let’s begin with the offenders you’ll recognise immediately. The top passwords globally include predictable numeric strings and basic dictionary words.
Top 10 offenders of 2025:
- 123456
- admin
- 12345678
- 123456789
- 12345
- password
- Aa123455
- 1234567890
- Pass@123
- admin123
Yes, the classics return — again. Other offenders include sequences such as 12345, repeated patterns like 111111, and corporate-style weak spots such as admin and qwerty.
Last year’s list wasn’t any better. The top 10 worst passwords of 2024 included:
- 123456
- 123456789
- 12345678
- Password
- qwerty123
- qwerty1
- 111111
- 12345
- secret
- 123123
Read more in our blogpost: The Worst Passwords of 2024: Are You Still Using One of These?
Analysis: What Changed and what are the New Trends?
Even with enormous increases in hacking activity, numerical sequences (123456) and basic dictionary words (password) remain at the top of the list year after year. The global data shows little improvement in user behaviour. There are, however, some noticeable shifts: The popularity of the password admin is rising due to weak corporate security practices. Pseudo-complex passwords appear more often — examples include Aa123456 or Admin@123 — but attackers crack these instantly because the patterns are predictable.
The Generational Password Divide: Gen Z, Boomers, and the Password Habits That Separate Them
The research reveals something fascinating: everyone across different generations uses bad passwords, just in different ways. Across every age group, passwords like 12345 and 123456 appear again and again. This proves a simple truth: bad password habits transcend age.
Older Generations (Gen X, Boomers)
- Trend: These generations are far more likely to use names — such as “Veronica” or “Maria” — often followed by numbers, especially birth years.
- Risk: These credentials are extremely vulnerable to social engineering, because attackers can find names, birthdays, and family information through public records or social media.
Read more on social engineering: How to Recognize and Defend Yourself Against Social Engineering Attacks
Younger Generations (Millennials, Gen Z)
- Trend: They tend to avoid names, instead choosing: long numbers (1234567890), pop culture references, meme-style passwords (yes, skibidi has appeared on worst password lists).
- Risk: These passwords still fall to dictionary attacks, because they’re single-word entries easily tested by automated cracking software.
[Screenshot taken from Urban Dictionary: https://www.urbandictionary.com/define.php?term=Skibidi]
The Illusion of Complexity
One of the most interesting findings this year: 32 passwords on the 2025 list included special symbols — up from just 6 the year before. That sounds like progress, until you look closely. Most “complex” passwords are just familiar patterns like:
- P@ssw0rd
- Admin@123
- Welcome#1
These might look clever to a human — but to modern cracking software, they’re instantly recognisable variants.
The Cybersecurity Stakes: Why a Weak Password is a Ticking Time Bomb
- Instant crack time: Most of the top global passwords can be broken in under one second.
- Malware and credential theft: Credentials are no longer obtained only through breaches. Increasingly, they’re stolen directly from infected devices using malware.
- Credential stuffing: Reusing one password across multiple sites invites disaster. If hackers obtain your 123456 password on a single platform, they try it on banks, email, streaming services, government sites and shopping apps within seconds.
Learn more on guarding your online accounts: How to Defend Against Sophisticated Password Attacks
Koofr guides to Stronger Passwords and Better Cyber Security
You don’t need to memorise 100 complicated passwords — you only need to adopt safer habits. Here are our recommended reads that show how to build a secure digital life:
- Strong passwords and how to remember them
- 9 ways to make your passwords less bad
- World Password Day 2024: Secure your digital world with password managers
- World Password Day 2022: Best tips for protecting your personal data online
- 2FA recovery codes: Your last line of defence
2025 proves that password security is a behaviour problem, not a technology problem. We know what makes a bad password. We know what hackers target. And we now know how different generations repeat the same mistakes.
Koofr. A safe home for your files.
The good news? Password managers, multi-factor authentication and simple password hygiene can eliminate almost all of these risks — without sacrificing convenience. This year, don’t just read the list. Change your behaviour. Your digital life depends on it.
Want to talk to us? Join our growing Reddit community!