NordPass’ new study highlights weak passwords data breach risk, linking around 80% of breaches to compromised or reused credentials.
The seventh edition of the Top 200 Most Common Passwords report, produced with NordStellar and independent incident researchers, draws on passwords exposed between September 2024 and September 2025. The sample covers 44 countries and multiple age groups.
Simple strings still top business and consumer lists
Globally, “123456” is the most common password. “Admin” ranks second, while “12345678” sits in third, confirming that predictable numeric strings remain common.
NordPass notes that more than half of the world’s most popular passwords still rely on simple keyboard combinations of numbers and letters. Examples include “qwerty,” “1q2w3e4r5t” and “123456789.”
Special characters appear more often, but often in ways attackers expect. This year, 32 passwords on the main list include special characters, compared with six last year. Many follow patterns such as “P@ssw0rd,” “Admin@123” and “Abcd@1234,” which automated tools can guess quickly.
For businesses, the weak passwords data breach risk begins with default-style codes and repeated patterns. Strings such as “admin” and “Admin@123” invite credential stuffing and brute-force attacks across corporate systems.
Generational habits offer little extra protection
NordPass also looked at password choices across generations. Its research shows that younger and older users share similar habits.
“The password habits of 18-year-olds are similar to those of 80-year-olds. Number combinations, such as ‘12345’ and ‘123456,’ are in the top spots across all age groups. The biggest difference is that older generations are more likely to use names in their passwords,” says Arbaciauskas.
Names such as “Veronica,” “Maria” and “Susana” appear often in different age brackets. Generations Z and Y instead pick longer numeric strings such as “1234567890” and cultural references like “skibidi.”
NordPass urges stronger passwords and MFA
Karolis Arbaciauskas, head of product at NordPass, links these choices directly to business risk. “Generally speaking, despite all efforts in cybersecurity education and digital awareness over the years, data reveals only minor improvements in password hygiene.
The world is slowly moving towards passkeys — a new passwordless authentication method based on biometric data — but in the interim, until passkeys become ubiquitous, strong passwords are very important.
Especially since around 80% of data breaches are caused by compromised, weak, and reused passwords, and criminals will intensify their attacks as much as they can until they reach an obstacle they can’t overcome,” says Arbaciauskas.
NordPass recommends long, random passwords or passphrases, unique for every account. It advises regular password reviews, password managers to generate and store credentials, and multi-factor authentication for sensitive services.
For company leaders and IT teams, NordPass argues that strong policies, password management tools and MFA can finally cut the weak passwords data breach risk.