- 123456 was the most common leaked password in 2025, followed by admin and 123456789.
- Names of pets, partners, and children are heavily used and easy for attackers to guess.
- Adding 1! or @123 to a common word does not save it. Crackers test those patterns first.
- If you spot a password you use on the list, change it everywhere before finishing this article.
Every year, security researchers analyze billions of passwords pulled from real data breaches and publish the most common ones. Every year, the list looks almost identical. 123456, password, admin, qwerty. The names change at the bottom. The top barely moves.
This article is your shortcut. If your password is on this list, or anywhere close, you are not protected. Replace it before the end of the day.
The 2025 worst offenders
NordPass, working with research firm NordStellar, analyzed leaked passwords from 44 countries from September 2024 to September 2025. Their top global passwords for the year:
123456admin123456781234567891234Other entries that round out the top 20: 12345, password, 123, Aa123456, 1234567890, UNKNOWN, 1234567, password1, P@ssw0rd, qwerty123, iloveyou, welcome, monkey, letmein, and football.
All of these are cracked in less than one second by automated tools. They appear in every dictionary attack list. They are the first thing tried in credential stuffing campaigns.
The patterns attackers know by heart
Beyond the obvious entries, certain patterns appear over and over. Researchers who analyzed 15 billion leaked passwords found:
- About one in 30 people use their birth year in a password.
- The years 1975 to 2010 each appeared in at least 3 million passwords.
- Adding a number from 0 to 99 at the end of a password is so common it is a feature of cracking tools, not a defence.
- The single digit
1is the most popular ending number, used by roughly one in five people who add a digit.
Capitalizing the first letter, swapping o for 0, replacing a with @, and ending with ! are all on the standard list of mutations every cracking program tries automatically. P@ssw0rd1! is not a clever variation. It is one of the first things tested.
Personal data: the silent leak
Names, birthdays, sports teams, pets. These do not show up in global lists because they vary by person, but research shows they are extremely common in real password choices.
The Google and Harris Poll study found:
- 33% of users include a pet's name.
- 22% use their own name.
- 15% include a partner's name.
- 14% include a child's name.
For Canadians, you can add: hockey teams, hometown names, postal codes, and references to common Canadian landmarks. Habs2024, Toronto1!, and Canada150 are weak passwords for the same reason: they are predictable, in standard cracking dictionaries, and tied to public knowledge about Canadians.
If a stranger could guess your password by reading your last 20 social media posts, change it.
What about default and admin passwords?
Every router, smart device, and admin panel ships with a default password. admin. password. changeme. 12345. Manufacturers know users rarely change them, which is why botnets like Mirai grew to hundreds of thousands of devices by exploiting default credentials.
If you set up a router, a smart camera, or any IoT device, change the default password during setup, before connecting it to the internet. The Canadian Centre for Cyber Security recommends this as a basic step in their home network guidance.
Why people keep using bad passwords
Researchers consistently find that the same patterns repeat across age groups and geographies. Some reasons:
- Cognitive load. The average person now has more than 100 accounts. No one can remember 100 unique strong passwords.
- Apathy after breach. When everything has been leaked at least once, why bother?
- Friction. Strong passwords are inconvenient to type, so users default to short ones.
- Misplaced confidence. Users think a small variation defeats attackers. It does not.
The fix for all four is the same: a password manager that generates and stores 20 character random passwords, so the human only has to remember one master passphrase. Once that is in place, the temptation to use password never comes up because the manager fills in the password for you.
How to check if your password is on a list
You can check any password instantly at haveibeenpwned.com/Passwords. The lookup uses a hash and never transmits the password itself. If the password appears in any known breach, the result tells you how many times it has been seen. Anything with more than zero hits should be retired immediately.
We cover the full process in how to check if your password has been leaked.
Pick a length, hit generate, copy. Replace any weak password right now with a 20 character random one.
The shortest possible advice
Do not use any of these:
- Any password from the global top 1000 list.
- Your name, your kids' names, your pet's name.
- Your birth year, your address, your postal code.
- The word password, in any language, in any combination, with any number of substitutions.
- Your favourite team or band.
- Anything that ends with
1,!,123, or the current year.
Use a generator. Save the output in a manager. Move on.