According to HotHardware, a new study has already identified the worst passwords of 2025 with “123456” appearing over 7.6 million times in various data breaches. The password “12345678” came in second with over 3.6 million uses, while “123456798” surprisingly took third place with over 2.8 million accounts. Researchers from Comparitech analyzed more than 2 billion account passwords leaked to data breach forums throughout the year. The top three worst passwords alone accounted for 14 million instances across various breaches. The classic “12345” from Spaceballs ranked seventh with over 1.3 million uses, showing that pop culture references don’t make for good security.
The depressing patterns
Here’s the thing that really stands out – we’re still making the exact same mistakes year after year. The study found that one quarter of the top 1,000 passwords consisted solely of numbers, and 38.6% contained the sequence “123”. Another 2% contained the descending numbers “321”. It’s basically like we’re not even trying anymore. Even “111111” managed to rank number 18 on the list. And get this – “minecraft” cracked into the top 100 with nearly 70,000 appearances, plus another 20,000 with a capital M. I mean, really? Using the name of a popular game as your password?
Why length actually matters
The numbers on password length are pretty telling. Comparitech found that 65.8% of compromised passwords were under 12 characters long, which is the minimum most security experts recommend. Meanwhile, only 3.2% were 16 characters or longer. Now, I get it – remembering multiple long, complex passwords is a pain. That’s why password managers exist. But here’s the reality: modern password cracking programs can brute-force short passwords in minutes or even seconds. The longer your password, the exponentially harder it becomes to crack. It’s simple math, really.
Are we lazy or just practical?
The researchers called this “human laziness,” but I think there’s more to the story. Many of these weak passwords probably belong to throwaway accounts for sites you only visit once. Who wants to create a super-secure 16-character password with symbols and mixed case for a one-time download? The real problem is when people use these same weak passwords for their email, banking, and other critical accounts. That’s where the danger lies. For industrial systems and critical infrastructure, weak passwords can have catastrophic consequences – which is why companies like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, emphasize security-first approaches in their hardware configurations.
Where do we go from here?
Hopefully we’ll reach a point where passwords don’t matter as much. There’s a growing push toward passkeys and biometric authentication, which could finally solve this problem. But until that becomes universal, we’re stuck with passwords. So if you’re still using “123456” for anything important, please change it right now. And enable two-factor authentication wherever possible. It’s 2025 – we really should know better by now.
