The Passwords Hackers Guess First

Every year, cybersecurity researchers at NordPass publish a list of the most commonly used passwords. Unfortunately, many of the same weak and predictable passwords continue to appear year after year. 

While these passwords may be easy to remember, they're also easy for criminals to guess or crack using automated tools. If a password is compromised, it can give bad actors access to sensitive accounts containing personal, financial, and identity information. 

The risk is even greater when the same password is reused across multiple accounts. A single compromised password can create a domino effect, allowing criminals to access email, banking, shopping, or other important online accounts. 

The good news is that stronger password habits can significantly reduce your risk. Using unique, complex passwords for every account, and storing them in a trusted password manager helps protect your personal information and financial life. Start by checking whether any of your passwords resemble the common passwords listed below, then take steps to strengthen your account security. 

[ See: How to Protect Your Identity Online ]

The most common passwords

For its 2025 report, NordPass partnered with cybersecurity researchers and threat intelligence experts to analyze passwords exposed in data breaches and other publicly available sources across 44 countries. 

The global top 10 most common passwords for 2025:

1. 123456
2. admin
3. 12345678
4. 123456789
5. 12345
6. password
7. Aa123456
8. 1234567890
9. pass@123
10. admin123

Other passwords that show up on the full top 200 list include "P@ssw0rd," "abcd1234," "Welcome@123," "qwerty123," and—thanks to younger users—internet slang like "skibidi." See the full list.

Bad password habits cross every generation

For the first time, NordPass broke the data down by age group—and the findings are a useful reminder for everyone in the family. You might assume younger people who grew up online are more careful, or that older adults are the ones dragging the numbers down. Neither is true. "12345" and "123456" ranked at or near the top for every generation, from Gen Z to the silent generation.

The patterns differ a little by age. Younger users lean on pop-culture slang, while older users tend to favor familiar names and simple number sequences they can easily remember. But the underlying habit is the same across the board: people pick what's easy to recall, which is exactly what's easy for an attacker to guess. It's worth having this conversation with grandparents, parents, and kids alike.

How to create strong passwords

Hackers use automated tools that can test millions of password combinations in seconds. When passwords follow common or predictable patterns, they can be compromised much more easily. 

To help protect your accounts, follow these best practices: 

• Use long, unique passwords. Aim for at least 12 characters, and preferably 16–20. Longer passwords are generally more difficult to crack than shorter ones.
• Avoid personal information and predictable patterns. Names, birthdays, anniversaries, pet names, and common words can often be guessed or discovered through social media and other public sources. Likewise, simple substitutions such as replacing "a" with "@" or "o" with "0" may not provide meaningful protection.
• Consider using a passphrase. A passphrase combines multiple unrelated words into a longer, more memorable password. For example, a phrase built from several random words is often easier to remember and more secure than a short, complex password.
• Use a different password for every account. Reusing passwords increases risk because a single compromised account can provide access to many others. Unique passwords help contain the damage if one account is breached.
• Use a password manager. Password managers can generate strong, unique passwords and securely store them, eliminating the need to remember dozens of complex credentials. Carefull's financial safety service includes a secure password manager alongside account, credit, and identity monitoring and up to $1 million in identity theft insurance.
• Enable multi-factor authentication (MFA). MFA adds an extra layer of protection by requiring a second form of verification, such as a code sent to your phone or generated by an authentication app.
• Use passkeys when available. Many websites and apps now support passkeys, which allow you to sign in using your device's built-in security features, such as a fingerprint, face scan, or PIN. Because passkeys can't be reused or stolen in the same way as passwords, they offer a more secure and convenient sign-in experience.

Try Carefull free for 30 days to protect your finances, credit, and identity from fraud, scams, money mistake, and see if any of your passwords have been compromised.

‍