Given the news today that the latest mega breach of passwords has exposed 1.3 billion unique passwords, you need to shore up the security on all your accounts. And that especially means key accounts like Google, Microsoft, Apple, Facebook and Amazon.
With perfect timing, Comparitech has just published its list of 2025’s most common passwords. The team says it “aggregated more than 2 billion real account passwords leaked on data breach forums in 2025.” Ironically, 2 billion is the same number of email addresses in today’s latest leak, so you should probably take this research seriously.
“The most common passwords in 2025 are ‘123456’, ‘admin’, and ‘password’,” which should not be much of a surprise in a world where “the password for the Louvre’s video surveillance system was ‘Louvre’.” Sometimes we really are our own worst enemies.
Google has warned repeatedly that hackers are targeting its user accounts to gain access with stolen credentials. The company says “phishing and credential theft” now fuels 37% of successful intrusions,” while infostealers have driven “an 84% increase in 2024 compared to the previous year — that trend has only intensified in 2025.”
Meanwhile, Microsoft has decided to push account holders to delete passwords completely, such is the current threat from infostealers and other data leaks.
Both Google and Microsoft are at the forefront of pushing passkeys instead of passwords, with Google taking the market lead. It has achieved a staggering 350% increase in account take-up. Apple manages its own passkeys in its unique way. While Facebook, Amazon and other major players have all now jumped on board.
You can download Comparitech’s full list of 100 common (by which you can read easily guessed/hacked) passwords on its website. NordPass has an even more extensive list of the world’s worst passwords, broken down by country.
Here’s the top-20 of what bad looks like, again no surprises:
The data plays into the latest warning from the U.S. National Institute of Standards and Technology (NIST), that people “often choose passwords that can be easily guessed.” This includes arbitrary usage of numbers, caps and special characters.
“A user who might have chosen ‘password’ as their password,” NIST says, “would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number or ’Password1!’ if a symbol is also required.”
You can see that easily enough in the Comparitech and NordPass data.
Length is better than complexity. But Comparitech warns “65.8% of the passwords we analyzed had fewer than 12 characters; 6.9% had fewer than 8 characters; and (only) 3.2% used 16 or more characters.”
NIST says “passwords that are too short yielding to brute-force attacks and dictionary attacks.” That’s what Hive Systems found in its most hackable password research.
So, as for password advice, if your Google, Microsoft, Apple (or Facebook, Amazon, etc,) passwords are short, then change them. Go for 12 or ideally more characters. Don’t use anything “common,” and so if you see your passwords on these lists, change them.
And then, more critically, ensure you have a strong (not SMS) form of multi-factor authentication on all your accounts, and set up passkeys wherever you can.
Whilst this report focuses on personal accounts, this advice is even more critical at work, where your bad password behaviors combined with your company’s potential lack of MFA could be putting critical business systems and data at risk.