CompariTech on Thursday released a report detailing the most-used passwords of 2025, which reveals that “123456” is the worst password of the year. More than 7.61 million accounts out of 2 billion passwords leaked on data breach forums this year have set “123456” as their password. This isn’t the first time a report singled out “123456” as the worst password you could use to protect an online account. We saw it happen in previous years, with “123456” outranking “admin,” and “password,” which are also present in the top 10 that CompariTech released, as seen in the following image.
The company published a list of the top 100 most-used passwords of 2025, which some people might want to check out to ensure their passwords aren’t on the list. These are all bad passwords. They’re popular because hackers managed to breach accounts protected by these passwords. The leaked information made it to the Dark Web and other places where stolen credentials are traded. That’s how CompariTech was able to access the data and analyze the types of bad passwords people have been using this year.
CompariTech
Other passwords that are easy to guess and made the top 100 are “minecraft” (100th) and “India@123” (53rd). The latter is more complex than passwords made out of numbers or simple words, but it’s still easy to crack.
How to protect your internet accounts with strong passwords
CompariTech notes that, “in a showcase of human laziness, a striking number of passwords are easily guessed ascending or descending numbers.” The company found that a quarter of the top 1,000 passwords are made of numbers. Nearly 40% have the string of numbers “123” in them, while 2% have the same set of numbers, but reversed (“321”). Other people place the “abc” letter sequence in their passwords, and some just repeat the same character. “111111” was the 18th most-used password. Passwords that contain the word “pass” or “password” account for almost 4% of the top 1,000 most common passwords.
The report also notes that most experts recommend people use a password length of at least 12 characters. The longer the password, the longer it takes for hackers to crack it. The data CompariTech analyzed showed that nearly 66% of the stolen passwords had fewer than 12 characters. “A strong password will most likely never be cracked. Strong passwords are at least 12 characters long and contain a combination of lower- and upper-case letters, numbers, and symbols,” CompariTech notes. It should be “sufficiently random” to avoid patterns. Finally, CompariTech says that every password should be unique so hackers won’t try to use the same username and password combination for multiple web properties.
These findings tell you almost everything you need to do to protect your digital properties with strong, unique passwords. If you’ve been using “123456” or any of the other bad passwords in the list, you should change them immediately. Using a password manager on phones and computers should help you store passwords securely, without having to remember each one.
