Top 200 Most Common Passwords | NordPass

Submitted ⁨⁨15⁩ ⁨hours⁩ ago⁩ by ⁨otters_raft@lemmy.ca [bot]⁩ to ⁨technology@beehaw.org⁩

https://nordpass.com/most-common-passwords-list/

Seven years since our first top 200 common passwords list, we’ve witnessed how credential trends have changed — and what has remained the same. Each year, we rediscover people’s tendency to opt for weak passwords that prioritize convenience over security.

However, this year, we decided to ask ourselves: How do different generations treat their password use? From the silent generation to the “zoomers,” we analyzed which passwords are the most common among different user groups. As it turns out, bad password habits are trendy no matter how old you are.

source

Comments

Sort:hotnew top

echodot@feddit.uk ⁨3⁩ ⁨hours⁩ ago
For the longest time the admin password for the router at work was PasswordReset.124, the useless penetration testers didn’t even pick up on it.

I’ve changed it to something actually random and then, following established industry standard security practises, somebody else has gone and written it on a post-it note, and stuck it to the router. So we’re all fine now.

I’m extremely tempted to “hack” the network and bring it down only to be the hero that brings it back up after a few hours of non-productivity. But I feel like if they found out that might be a firing offence.

source
- Duke_Nukem_1990@feddit.org ⁨32⁩ ⁨minutes⁩ ago
  Especially now that you committed it to this federated website.
  
  source
pruwybn@discuss.tchncs.de ⁨3⁩ ⁨hours⁩ ago
Long passwords are more secure which is why I chose PasswordAdminQwertyAbcdefg1234567890987654321

source
rekabis@lemmy.ca ⁨11⁩ ⁨hours⁩ ago
Am I unreasonably disappointed to not find “Correct Horse Battery Staple” in that list?

source
Sibbo@sopuli.xyz ⁨14⁩ ⁨hours⁩ ago
Always make sure to pick a popular password people, you don’t want your hacker to think you are a special snowflake.

source
- smeg@feddit.uk ⁨13⁩ ⁨hours⁩ ago
  Can’t run the risk of being fingerprinted, privacy and anonymity first!
  
  source
echodot@feddit.uk ⁨3⁩ ⁨hours⁩ ago
There was a post on here a while ago about the most popular four digit PIN numbers. I think the top five were

And 1701

We’re are all so original
source
- AAA@feddit.org ⁨13⁩ ⁨minutes⁩ ago
  Kinda hard to be original with four digit PINs. Of course there’s some worse choices than others, but 9999 possible combinations really limit creativity.
  
  source
Sims@lemmy.ml ⁨3⁩ ⁨hours⁩ ago
Good news everyone ! “top 200 most common passwords” isn’t in the list, so we can keep using that one !

source
ZoteTheMighty@lemmy.zip ⁨14⁩ ⁨hours⁩ ago
P@ssw0rd is ahead of Password. Times they are a changin

source
- echodot@feddit.uk ⁨3⁩ ⁨hours⁩ ago
  It’ll just be that a lot of password systems insist on a number in a special character.
  
  source
- purplemonkeymad@programming.dev ⁨4⁩ ⁨hours⁩ ago
  I know a couple of people who think they are clever for these kinds of substitutions, I can probably use this fact on them. Not sure they will change their ways after, they kinda oppose any change.
  
  source
- akwd169@lemmy.sdf.org ⁨12⁩ ⁨hours⁩ ago
  Most places force you to put a number and a special character in there now, the number of places you can get away with just a word for a password is dwindling
  
  source
ininewcrow@lemmy.ca ⁨15⁩ ⁨hours⁩ ago
Top 3 are still the same from previous years

12345

123456

12345678

It’s official: “123456” has once again claimed the controversial title of the world’s most common password — and one of the weakest. That marks six out of seven years this password has topped our chart
source
- mctoasterson@reddthat.com ⁨8⁩ ⁨hours⁩ ago
  Except among Zoomers, with whom the most common password is 67
  
  source
- lemmie689@lemmy.sdf.org ⁨14⁩ ⁨hours⁩ ago
  How can I get to Sesame Street?
  
  source
- Catoblepas@piefed.blahaj.zone ⁨15⁩ ⁨hours⁩ ago
  12345?
  
  source
thingsiplay@beehaw.org ⁨14⁩ ⁨hours⁩ ago
Looking at the different countries is also funny. The only password I’m not surprised about is admin, because that’s probably the default for most devices maybe? Unless user changes it manually.

But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?

source
- t3rmit3@beehaw.org ⁨10⁩ ⁨hours⁩ ago
  
  But my question is, are these only “hacked” passwords? Because those who are not hacked, you don’t know what passwords they have. So this is a bit of bias here, right?
  
  No, that’s not how these are obtained. Password dumps are from attackers breaching a site’s user database and dumping their credentials, usually by phishing administrators’ logins. Attackers are brute-forcing passwords anymore except on a one-off, very rare basis. Here’s a list of publicly-known password dumps, and you can see details about where they came from: haveibeenpwned.com/PwnedWebsites
  
  source
  - thingsiplay@beehaw.org ⁨10⁩ ⁨hours⁩ ago
    Ah right, that makes sense. I know that site, but didn’t think of. I know not the smartes in the town.^^
    
    I also wonder if people do more secure passwords for important services. Or do they treat it the same? My parents always used their birthday as password, so they do not forget it. Which not much more secure than 1234.
    
    source
    -> View More Comments
- Creat@discuss.tchncs.de ⁨12⁩ ⁨hours⁩ ago
  Thankfully this isn’t allowed for new devices being sold in the EU anymore. They are required to have a per-device individual password now. Hopefully this effectively causes the practice to at least become much less common globally. After all, if you’ve setup the needed manufacturing steps, there’s little sense in skipping them depending on a target region.
  
  source
- smeg@feddit.uk ⁨13⁩ ⁨hours⁩ ago
  You didn’t fill in the survey when the password inspector sent you that email? Rude!
  
  source
SnotFlickerman@lemmy.blahaj.zone ⁨15⁩ ⁨hours⁩ ago

12345

That’s amazing. I’ve got the same combination on my luggage!

source
- PerogiBoi@lemmy.ca ⁨14⁩ ⁨hours⁩ ago
  All I see is *****
  
  source
glibg@lemmy.ca ⁨7⁩ ⁨hours⁩ ago
theworldinyourhand

Really? is that from something?

source
- Sims@lemmy.ml ⁨3⁩ ⁨hours⁩ ago
  …a super prolific autistic account hoarder ?
  
  source
bryndos@fedia.io ⁨14⁩ ⁨hours⁩ ago
do they account for the circumstances?

most public wifi login pages get:
u: abc@def.com
p: qwerty

from me.

I assume those types of services get breached all the time and no one cares. I think they just want plausible deniability on acceptable use of the wifi.

source
HappyFrog@lemmy.blahaj.zone ⁨15⁩ ⁨hours⁩ ago
Damn, doesn’t load for me :/

source
SanctimoniousApe@lemmings.world ⁨12⁩ ⁨hours⁩ ago

Methodology

The Top 200 Most Common Passwords report is the result of a joint effort between NordPass and NordStellar, prepared in collaboration with independent researchers specializing in cybersecurity incidents. Recent public data breaches and dark web repositories were analyzed from September 2024 to September 2025 to identify statistically aggregated data. No personal data was acquired or purchased for this research.

Okay, so how valid is this really if they’re only using those passwords that were hacked?

source
- t3rmit3@beehaw.org ⁨11⁩ ⁨hours⁩ ago
  It’s very valid. The password dumps they’re analyzing aren’t based on attackers brute-force, they’re based on attackers breaching sites’ backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.
  
  Sort this list by year, and you can see there’s tens of millions of leaked passwords in 2025 alone: haveibeenpwned.com/PwnedWebsites
  
  source
  - SanctimoniousApe@lemmings.world ⁨10⁩ ⁨hours⁩ ago
    That makes sense, thank you.
    
    source