Skip to main content
Cybersecurity

Most common passwords: Exclusive list of the worst

Most common passwords: Exclusive list of the worst

123456

They tell us not to use it. Security teams shout it from blog posts and conference stages. Yet time and again the string “123456” — alongside other painfully simple choices such as admin and password — tops lists of the most common passwords. How can something so widely condemned remain so widely used, and what does that mean for people, companies and the broader economy?

123456: why the worst passwords keep winning

For decades, technologists have warned that short, predictable passwords are trivial for attackers to guess or crack. The problem is not just nostalgia for convenience; it is the algebra of human behavior colliding with hostile economics. A recent examination of leaked collections shows these same weak choices persist across billions of credentials, a fact cybersecurity experts say reflects two deep, related habits: reuse and friction avoidance.

Background and the current picture
– Mega-collections of credentials are often compilations of many breaches, some years old, assembled into single searchable datasets. That aggregation magnifies the apparent scale of weak-password reuse even if much of the data is not freshly leaked.
– Attackers exploit this reality with credential-stuffing: automated attempts that replay usernames and passwords across services until a match yields an account takeover. The economics are stark — credential-stuffing kits are cheap and rentable, lowering the skill barrier for attackers.
– Defenders have improved tools — multi-factor authentication (MFA), password managers, behavioural monitoring — but adoption and configuration remain uneven. Even when protections exist, adversaries evolve: phishing to intercept one-time codes, session-hijacking proxies, and real-time capture of tokens.

Why it matters
– Individual risk: Reused or trivial passwords turn a single breach into many account takeovers. Surveys indicate a substantial share of users still reuse credentials across sites, keeping the attack surface large.
– Business risk: Credential stuffing drives fraud, account takeovers, and remediation costs. Regulators and courts are beginning to hold companies accountable; fines and reputational damage can exceed the cost of sensible security investments.
– Systemic risk: When large datasets of reused passwords circulate, attackers refine phishing and targeting, increasing the efficiency and scale of campaigns that enable identity theft, financial fraud and persistent privacy harms.

Voices from the field
– “The numbers alone don’t tell the full story,” said security researcher Troy Hunt in a published discussion about large aggregated password collections; many of the passwords have been circulating for years, which matters when assessing immediate harm.
– “Even if these passwords have been around for a while, their sheer volume highlights how pervasive credential reuse remains — a problem that multi-factor authentication and better password hygiene must address,” said Dr. Katie Moussouris, CEO of Luta Security.
– From a policy angle, Senator Mark Warner has warned that legislation must keep pace with attackers who exploit regulatory and technical gaps, urging stronger data-protection frameworks and incentives.

What works — and what doesn’t
– Effective measures
– Make unique, long passwords the easy default: password managers integrated into platforms reduce human memory burden.
– Require and properly implement multi-factor authentication (MFA), with attention to phishing-resistant second factors (hardware keys, passkeys).
– Deploy anti-automation defenses and rapid detection for credential-stuffing patterns.
– Assume breach: adopt rate limits, anomaly detection, and rapid password reset protocols when compromises are detected.
– Over-relied-on or weaker measures
– Password complexity rules (mix of symbols, numbers, caps) without length and uniqueness still produce guessable patterns.
– Education alone rarely changes behavior at scale; design and defaults must bear most of the burden.

Perspectives and trade-offs
– Technologists emphasize layered defenses: no single control is a silver bullet. They point to product design that reduces user friction as the sustainable path to better security.
– Policymakers see a role for clearer standards and enforcement: fines and penalties clarify expectations, but reactive enforcement cannot substitute for robust, proactive safeguards.
– Users balance convenience and security. Many choose convenience because daily life demands it; the modern fix is to make the secure choice the convenient default.
– Adversaries will continue to adapt as defenders shift tactics; reduced utility of stolen credentials (through MFA and unique passwords) undermines attackers’ business models.

A short checklist for readers
– Use a reputable password manager to generate and store unique, long passwords.
– Enable phishing-resistant MFA where available (passkeys, hardware tokens).
– Check whether your accounts have been part of known breaches (and change passwords for reused credentials).
– Prefer services that adopt modern authentication defaults — single sign-on, enforced MFA, and breach detection — over those that do not.

Conclusion
We are not helpless against “123456” and its kin. The persistence of the worst passwords is less a mystery than a design failure: systems that make convenience the enemy of security have long outlived their usefulness. As Troy Hunt and others have noted, the raw lists and mega-collections are a symptom — a reminder that credential reuse and poor defaults keep paying out for criminals. The remedy lies less in scolding users than in redesigning products and policies so that the secure path is the natural path. If that shift does not happen, how long before the next mega-collection turns yesterday’s warning into tomorrow’s crisis?

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/06/most_common_passwords/