123456. admin. password. For years, the IT world has been reminding users not to rely on such predictable passwords. And yet here we are with another study finding that those sorts of quickly-guessable, universally-held-to-be-bad passwords are still the most popular ones.

Tech advice website Comparitech on Thursday published the 100 most common passwords based on a deep dive into more than two billion passwords leaked on breach forums in 2025. 

The three mentioned above all finish in the top ten, along with various variations of the numerals 1-9 in ascending sequential order. 

Of course, no list of common passwords would be complete without such innovations as Aa123456, the sixth most common entry on the list, or the radically different Aa@123456, which came in at the 13th position. Combinations of qwerty and other keys sequentially in the first row of the keyboard were also common entries. Spice them up with a few numbers, like 1q2w3e4r, and you have yourself another popular combination. 

Funnily enough, gin – yes, just straight gin – was the 29th most popular entry, while the somewhat more unique, but clearly still popular India@123 ranked 53rd. In a nod to Gen-Z, minecraft (lowercase “m”), the title of the popular Microsoft voxel building sandbox game, rounded out the top 100, appearing 69,464 times in a list of two billion passwords. 

What does all this mean? According to Comparitech, it’s “a showcase of human laziness” when it comes to staying safe online. 

A full quarter of the passwords on the list, the study found, consisted solely of numbers, making them quite easy to suss out. Thirty-eight percent specifically contained the string 123, and another two percent included the inverse, 321. 

“Modern password cracking programs make short work of weak passwords,” the site said in what’s surely not a shocker to El Reg readers. “Common passwords are easily guessed. Short passwords are easily brute-forced.”

The longer the better –  and mixing it up doesn’t hurt, either

So what’s a user, or administrator responsible for ensuring users have good passwords, to do? 

First and foremost, consider biometric passkeys, which eliminate the need for passwords entirely. If that’s not possible, there’s always nice, long passphrases – depending on who you ask, those are preferential to a password full of random numbers and letters since they’re longer, easier to remember, and theoretically harder to crack. 

And size does matter. 

“No matter who you ask, the most important factor is length. Length is more important than complexity and randomness,” Comparitech consumer privacy advocate Paul Bischoff told us in an email.

Of course, adding a random character into a long passphrase doesn’t hurt either, Bischoff noted – so instead of “icantbelievewerestilltellingyouthis,” try “icantbelivewerestilltellingy0uthis,” as even that simple change makes it far less likely to be guessed. 

Using gibberish passwords and relying on a password manager is still better than qwerty123, of course, and Bischoff says that goes for browser-based password management, too. You’re still taking matters into your own hands, of course, as Chrome updates have been known to break Google Password Manager, and password manager apps aren’t 100 percent secure either. 

Whatever you do, don’t let yourself be caught with a password on Comparitech’s list, and if it’s your responsibility to set password complexity rules, make sure you’re setting good ones. 

When enterprise environments don’t enforce good password requirements, users are more likely to slack off on setting a solid one, Bischoff explained. 

“The most secure passwords will be set by the users who have the strictest password requirements,” the privacy advocate added. ®