People never change... No matter how much IT professionals try to warn about the risks of weak passwords, it seems we just can't resist using them anyway despite the huge risks involved as more and more of our lives move online.
According to data analysed by password management company "NordPass", the most common password found in their research was "admin". Many of the list are just some increasing number of consecutive digits (123456 etc). Almost unbelievably in 2025, 5 of them are just variations of the word "password". Presumably these people also leave their doors unlocked and open at night!
Here's the full list
- admin
- password
- 123456
- 12345678
- 123456789
- 12345
- Password
- 12345678910
- Gmail.12345
- Password1
- Aa123456
- f*******t
- 1234567890
- abc123
- Welcome1
- Password1!
- password1
- 1234567
- 111111
- 123123
If you have an account protected by just a password, the current best advice is to protect it with three random but memorable words (eg branch-train-teapot). However, as attackers tools get more advanced, even the most complex passwords are vulnerable to being compromised. As we have covered many times in the past, whereever possible, you should also enable some form of multi factor authentication - ideally via a code generated by an app rather than SMS, as SMS is also vulnerable to compromise.
Even that isn't necessarily enough to protect against the most determined attackers (although is almost infinitely more secure than not doing it). Passkeys are the new method of protecting online accounts, and the beauty of them is there's no password to remember at all! They use your device(s) to check you are who you say you are. This makes it almost impossible to compromise your account, because physical access to your device is needed to unlock it (and the device itself needs to be unlocked).
Additionally, at the other end, only half of the "key" to open your account is ever stored. The other half exists on only your device. This means that if a company's database is hacked, your "password" can't be stolen that way, even in an encrypted form. As we enter into 2026, it wouldn't be a bad idea to make switching to passkeys whereever they're available one of your missions for the year!