Comparitech analyzed more than two billion passwords leaked in 2025 and circulating across hacker forums, Telegram channels, and other marketplaces. The results reinforce a long‑standing reality: ubiquitous, trivial passwords such as “123456”, “admin”, and “password” still dominate breach data, keeping credential‑based attacks highly effective.
Most common passwords in 2025 leaks: patterns that won’t die
Beyond perennial offenders like “admin” and “password,” basic numeric runs remain common (for example, 1–9). The top‑100 list also features “compliance‑driven” constructions that only appear complex, including Aa123456 (ranked #6) and Aa@123456 (ranked #13). These patterns align with outdated password rules that require an uppercase, a lowercase, a digit, and sometimes a symbol—rules attackers anticipate.
Keyboard‑walks from the top row combined with digits (for example, 1q2w3e4r) are frequent, as are short dictionary words. Notably, “gin” reached #29, and minecraft appeared 69,464 times in the dataset. Such findings highlight persistent user behavior: minimizing effort and favoring convenience over unpredictability.
Why these patterns are risky—even when they “look” complex
Attack tooling is optimized for exactly these formats. Attackers use dictionary, mask, and hybrid strategies to generate predictable variants (for example, capitalizing the first letter, appending “123,” or substituting “@” for “a”). Superficial complexity rarely withstands targeted guessing.
Where leaked passwords come from and how attackers weaponize them
The collected password sets flow through a mix of open and closed sources—dark‑web markets, data‑trading forums, and messaging platforms. Once aggregated, they are immediately used for credential stuffing: testing stolen username–password pairs across many services to exploit password reuse. Industry reporting, including the Verizon Data Breach Investigations Report, has for years identified the use of stolen credentials as a leading action in breaches.
How fast weak passwords fall: attack models and cracking speed
In offline attacks, adversaries work against password hashes, combining wordlists, masks, and rules at massive scale. On fast hash algorithms (for example, NTLM), modern GPUs can attempt billions of guesses per second, per public Hashcat benchmarks. That makes common passwords—and their predictable mutations—effectively instantaneous to crack.
Short secrets are especially fragile. Passwords of 8 characters or fewer are highly susceptible to brute force when hashing and rate limits do not slow attackers. The NIST SP 800‑63B guideline advises screening passwords against known‑compromised lists and prioritizing length and randomness over arbitrary complexity rules. Without uniqueness and sufficient length, “complexity” offers little practical defense.
Password security best practices for 2025: practical defenses that work
Adopt passkeys and platform biometrics where available. Passkeys remove shared secrets from the equation, resist phishing, and mitigate session theft by binding authentication to the device and origin.
If you must use passwords, make them long and unique. Aim for 12+ characters and prefer passphrases. Even small changes across a long phrase materially increase search space; for example, changing a single character in a long passphrase notably raises resistance to guessing.
Eliminate password reuse. Reuse is the fuel for credential stuffing. Use a reputable password manager to generate and store unique secrets for every account.
Enable MFA, prioritizing phishing‑resistant factors. App‑based TOTP or hardware security keys are preferred. SMS codes offer baseline protection but are vulnerable to SIM‑swap and interception.
Monitor for exposure. Periodically check your email addresses with breach‑notification services such as Have I Been Pwned. If your credentials appear in a leak, rotate passwords immediately and revoke active sessions.
The Comparitech findings underscore a behavioral gap: so long as users choose convenience over resilience, attackers will keep winning with automation. Reducing risk requires moving to passkeys where possible, using long, unique passphrases when passwords remain necessary, enabling MFA by default, and routinely checking for exposure. A short audit today—replacing weak or reused passwords, turning on MFA, and planning a passkey migration—meaningfully lowers the chance of account takeover.
