Millions Of Online Accounts Are At Risk: This Study Names The Worst Passwords Of 2025
There's still about seven and a half weeks remaining in 2025, but a new study already has a beat on the worst passwords of the year, with the most awful of the bunch appearing more than 7.6 million times in various data breaches. Suffice to say, if you're using any of the passwords on the extensive list, you should change it immediately.
What exactly constitutes a bad password? For one, if it's easy to guess, then you shouldn't be using it (especially now that AI tools have entered the mix). And secondly, the more people that use the same password, the higher the risk it will be one of the first ones that hackers use when trying to breach an account.
For the latest study, Comparitech researchers aggregated more than 2 billion account passwords that were leaked to data breach forums throughout the year. The worst of the bunch is "123456" (over 7.6 million accounts) followed by "12345678" (over 3.6 million accounts) and, you won't believe this, "123456798" (over 2.8 million accounts).
The top three worst passwords accounted for 14 million instances. What about "12345" as made famous in the film Spaceballs? That one ranked number seven on the list, with over 1.3 million accounts found to be using the same one as President Skroob for his luggage.
"In a showcase of human laziness, a striking number of passwords are easily-guessed ascending or descending numbers," Comparitech notes in its report. "One quarter of the top 1,000 passwords consisted solely of numbers. 38.6% contained the strong of numbers '123'. Another 2% contained the descending numbers '321'."
The cybersecurity information site also found repeated instances of 'abc' being used in commonly leaked passwords. Additionally, it says many common passwords are made up of a single character, with '111111' ranking number 18 on the list.
Also interesting is that the word 'minecraft' cracked into the top 100 (in the last spot) with it appear nearly 70,000 times, plus another 20,000 times with a capital 'M' (so 'Minecraft').
Sadly, the firm doesn't dive too deep into the weeds to support its notion of human laziness. It's entirely possible (and plausible, even) that many of these are throwaway accounts. We'd argue it's not lazy to hammer out a convenient password for quick, one-time access to a site that requires an account, but efficiency. It's aggravating to be required to create an account for a site you only plan on visiting once. That said, we're sure a lot of people are actually using weak passwords, too.
Source: Comparitech
Size matters when it come to password security. Comparitech's report highlights that 65.8% of compromised passwords were under 12 characters in length, which is the minimum that "most experts recommend." On the flip side, only 3.2% were 16 characters or longer. Understandable, considering that it's difficult to remember multiple long passwords without a password manager.
"Modern password cracking programs make short work of weak passwords. Common passwords are easily guessed. Short passwords are easily brute-forced.
By contrast, a strong password will most likely never be cracked. Strong passwords are at least 12 characters long and contain a combination of lower- and upper-case letters, numbers, and symbols," Comparitech states in its latest report.
Hopefully we'll come to a point where passwords no longer matter. There's an industry effort to in that direction with passkeys and biometric security, but for now, password security is still relevant. For your important accounts, be sure you're using a strong password, and enable two-factor authentication if it's an option.
