Key Takeaways
- “123456” appears 179.9M times – the world’s most common password.
- Top 3 passwords make up 67% of all top-10 breached credentials.
- “password” ranks fourth with 46.6M appearances.
- Simple number sequences dominate breach data, making them first targets in automated attacks.
The Story Behind the Numbers
The most common password worldwide is 123456. In breach data, it appears 179.9 million times. Next are 123456789 at 67.4 million and 12345678 at 63.9 million. Together, those three make up 311.2 million of 464.4 million, roughly 67% of the top 10. Rounding out the list: password (46.6M), 12345 (28.3M), qwerty (22.0M), 1234567 (16.3M), 1234567890 (15.8M), 111111 (12.2M), and qwerty123 (12.0M). By share of the top-10, 123456 alone is 38.7 percent, followed by 123456789 at 14.5 percent and 12345678 at 13.8 percent. These are short, predictable strings. They are first in automated login attempts, which explains why they dominate breach datasets. That is why randomness is the real defense: while a truly random 12-character password could take an estimated 244,000 years to crack by brute force, predictable combinations like Summer2025! can fall almost instantly. And the reason these weak passwords keep showing up is simple: the biggest breaches are enormous. For example, Yahoo’s breach alone ultimately affected about 3 billion accounts, which helps explain why the same recycled passwords keep resurfacing in leaked datasets. If any of your accounts use these, change them now and avoid simple number rows or keyboard patterns.
| No. | Password | Times previously appeared in a data breach | Share of the TOP10 |
|---|---|---|---|
| 1 | 123456 | 179,863,340 | 38.7% |
| 2 | 123456789 | 67,374,852 | 14.5% |
| 3 | 12345678 | 63,864,253 | 13.8% |
| 4 | password | 46,628,605 | 10.0% |
| 5 | 12345 | 28,322,091 | 6.1% |
| 6 | qwerty | 21,966,652 | 4.7% |
| 7 | 1234567 | 16,390,794 | 3.5% |
| 8 | 1234567890 | 15,830,172 | 3.4% |
| 9 | 111111 | 12,168,515 | 2.6% |
| 10 | qwerty123 | 11,973,025 | 2.6% |
Why This Data is Important
Most account takeovers happen because attackers simply log in with passwords many people reuse. With the average person now managing around 255 passwords across their accounts, reuse has become a major security risk. If a password shows up widely in breach data, it’s unsafe – even if your own account hasn’t been flagged. The fix is simple: use long, unique pass-phrases, keep them in a password manager, and enable multi-factor authentication. Keeping your IP address private also reduces what sites and networks can infer about you. When possible, switch to passkeys or hardware/security keys for your most important accounts. Turn on login alerts, use an authenticator app instead of SMS codes, and review old accounts you no longer need. If you find reused passwords, change them everywhere they appear and update your recovery email and phone so you can always get back in.
Looking Ahead: Future Outlook
Password managers and passkeys are spreading, but human-chosen strings like 123456 will stick around for a while. Ongoing breaches keep feeding fresh wordlists, so popular or reused passwords will stay risky. The safest path is steady hygiene: long unique passphrases, MFA on every important account, and periodic checks that your choices do not appear in breach datasets. For everyday browsing, adding a VPN is a simple baseline that reduces exposure.
Source & Methodology
We started with NordPass’s top-20 most common passwords and used those exact strings as our lookup set. For each of the 20 passwords, we pulled breached prevalence counts from Have I Been Pwned (HIBP). We then ranked those 20 by their HIBP counts and, for the table and analysis, showed only the top 10 by HIBP. Shares are simple part of the top-10 total. Data collected on November 12, 2025.