Back to Blog
Cybersecurity

Why '123456' Still Tops the Charts: What the Latest Password Report Says About Cybersecurity in 2025

4 min read
Why '123456' Still Tops the Charts: What the Latest Password Report Says About Cybersecurity in 2025

Introduction

You would think that after a year filled with huge data breaches, nonstop ransomware stories, and billions lost to cybercrime, people would finally start using better passwords.

According to new research, that is not happening at all.

A recent report from NordPass and NordStellar looked at passwords found in public breaches from September 2024 to September 2025. The results were shockingly familiar. The most common password in the world is still:

123456

Even more surprising, Gen Z is using an even weaker one.

What the Report Found

The study uncovered some eye opening trends:

  • More than 21 million people used "123456"
  • "password" and "admin" continue to be incredibly common
  • Keyboard patterns like "qwerty" still show up everywhere
  • Simple number strings remain the default choice for millions

Despite major improvements in security tools, weak passwords continue to be one of the most common entry points for attackers.

Why So Many People Still Choose Weak Passwords

Most users are not trying to be careless. They usually choose simple passwords for practical reasons.

Convenience wins

People want something fast and easy to type.

Password overload

With dozens of accounts, many feel overwhelmed and fall back on predictable patterns.

Lack of awareness

Most people know they should have strong passwords, but few understand how quickly modern tools can crack them.

Feeling too small to target

Many assume cybercriminals only care about large companies, which is not true. Most attacks are automated and hit everyone in their path.

The Surprising Part: Gen Z's Weak Password Habit

One of the most interesting findings from the report is the generational breakdown.

The most common password among Gen Z is 12345

The same top choice was found in users aged 80 or older

Every age group in between preferred 123456

It turns out the generation that grew up online is not much better at securing their accounts. Convenience appears to be a bigger priority than security, regardless of age.

Why Passwords No Longer Keep Up with Modern Threats

Passwords were never designed for the speed and power of today's cyberattacks.

Modern attackers use:

  • Tools that can guess billions of combinations per second
  • AI that predicts common human patterns instantly
  • Massive lists of leaked passwords from old breaches
  • Automated scripts that test credentials on thousands of sites

A simple password stands no chance against this level of automation.

What People Should Do Instead

Here are simple, practical steps anyone can take to protect their accounts:

Use a password manager

It creates strong, unique passwords for every account and remembers them for you.

Turn on multifactor authentication

Even if your password leaks, MFA blocks most unauthorized access attempts.

Avoid patterns

No sequences, no names, no birthdays, no keyboard shortcuts.

Use passphrases

Long, memorable phrases are far more secure than short patterns.

Update high value accounts

Your email, bank, and cloud accounts should never share passwords.

Why This Matters for Companies Too

Weak employee passwords are still one of the biggest causes of business breaches. It has led to stolen data, financial losses, reputation damage, and legal issues that could have been prevented.

One bad password can expose:

  • Email accounts
  • Internal files
  • Client information
  • Financial systems
  • Cloud applications
  • Admin tools

Security is only as strong as the weakest login.

What Businesses Should Implement Now

To protect employees and company data, organizations should:

Enforce strong password requirements

Longer passwords reduce break-ins dramatically.

Require MFA across essential systems

Email, HR platforms, admin portals, and cloud apps should not be accessible without MFA.

Audit employee passwords

Identify weak or reused credentials before attackers do.

Adopt single sign on

Reduce how many passwords employees need to manage.

Provide simple training

A few minutes of education can prevent huge security incidents.

Final Thoughts

The fact that "123456" is still the most common password, and that Gen Z is using "12345," shows how much work is still needed in basic cybersecurity habits.

As cyber threats increase and attackers become more automated and more AI driven, simple passwords are no longer acceptable. Strengthening password hygiene is one of the cheapest, easiest, and most effective steps individuals and businesses can take.

Better passwords lead to fewer breaches, fewer losses, and far less risk.

Security does not always require advanced tools. Sometimes it just starts with not using "12345."

How ForceNow Can Help

Stronger passwords are only the beginning. ForceNow provides complete protection against modern threats, including ransomware, credential attacks, and AI driven intrusions.

Our SOC services start at just $20 per month and include:

  • Continuous threat monitoring
  • Ransomware protection
  • Real time alerting
  • Rapid response from trained analysts
  • Security guidance for your team
  • Ongoing protection beyond basic passwords

If you want real cybersecurity for your business instead of just hoping your employees stop using weak passwords, ForceNow has you covered.