What’s happened? A recent study by Comparitech analyzed over 2 billion leaked passwords from 2025 and found that many of the most common ones are shockingly weak. Among the worst offenders are passwords like “Minecraft” and “qwerty,” as well as region-specific choices like “India@123.”
- The top 10 list still included “123456”, “password”, “admin”, and “1234,” mirroring the findings on 2024’s worst passwords.
- Around 38.6% of the top 1,000 passwords included the string “123”.
- Only 3.2% of passwords had 16 or more characters.

This is important because: Weak passwords remain easy targets for cybercriminals using brute-force or credential-stuffing techniques that use stolen logins from one site to hack another.
- Short, predictable passwords let automated tools break accounts quickly.
- Using the same password across multiple accounts amplifies risk if one site is breached.
- The takeaway from millions of leaked passwords is simple: longer, more complex passwords that mix letters, numbers, and symbols are still the safest choice.
Why should I care? Whether you’re using email, streaming services, or banking apps, weak passwords are your weakest link.
- If you’re still using a password under eight characters or one of the top 100 list, consider your account at risk.
- Avoid using personal details like your name, birth year, or pet’s name in passwords as they are often the first things hackers try.
- Enabling two-factor authentication (2FA) offers a significant safeguard even if your password is compromised.
OK, what’s next? Check your own passwords and if you are using something like “password”, “123456”, or “qwerty”, change it now.
- Use a different, strong password for every account. You should aim for 12+ characters with upper/lower-case, numbers, and symbols.
- Enable 2FA wherever possible to add that extra barrier.
- Consider using Password managers, or the Passkey system, to ditch weak passwords entirely by generating secure, device-verified logins.