Top 200 Most Common Passwords | NordPass
Seven years since our first top 200 common passwords list, we’ve witnessed how credential trends have changed — and what has remained the same. Each year, we rediscover people’s tendency to opt for weak passwords that prioritize convenience over security.However, this year, we decided to ask ourselves: How do different generations treat their password use? From the silent generation to the “zoomers,” we analyzed which passwords are the most common among different user groups. As it turns out, bad password habits are trendy no matter how old you are.
Top 200 Most Common Passwords
For the seventh year in a row, NordPass presents its list of the top 200 most common passwords. Discover how common password trends differ across generations of users.NordPass
like this
HappyFrog
in reply to Otter Raft • • •IninewCrow
in reply to Otter Raft • • •Top 3 are still the same from previous years
like this
Endymion_Mallorn likes this.
Catoblepas
in reply to IninewCrow • • •- YouTube
youtu.belike this
Endymion_Mallorn likes this.
LEM 1689
in reply to IninewCrow • • •like this
Endymion_Mallorn likes this.
mctoasterson
in reply to IninewCrow • • •Jack
in reply to IninewCrow • • •HubertManne
in reply to IninewCrow • • •Snot Flickerman
in reply to Otter Raft • • •like this
Endymion_Mallorn likes this.
PerogiBoi
in reply to Snot Flickerman • • •ZoteTheMighty
in reply to Otter Raft • • •like this
Endymion_Mallorn likes this.
akwd169
in reply to ZoteTheMighty • • •purplemonkeymad
in reply to ZoteTheMighty • • •Echo Dot
in reply to ZoteTheMighty • • •thingsiplay
in reply to Otter Raft • • •Looking at the different countries is also funny. The only password I'm not surprised about is
admin, because that's probably the default for most devices maybe? Unless user changes it manually.But my question is, are these only "hacked" passwords? Because those who are not hacked, you don't know what passwords they have. So this is a bit of bias here, right?
like this
Endymion_Mallorn and Quantumantics like this.
smeg
in reply to thingsiplay • • •Creat
in reply to thingsiplay • • •t3rmit3
in reply to thingsiplay • • •No, that's not how these are obtained. Password dumps are from attackers breaching a site's user database and dumping their credentials, usually by phishing administrators' logins. Attackers are brute-forcing passwords anymore except on a one-off, very rare basis. Here's a list of publicly-known password dumps, and you can see details about where they came from: haveibeenpwned.com/PwnedWebsit…
Have I Been Pwned: Who's Been Pwned
Have I Been Pwnedthingsiplay
in reply to t3rmit3 • • •Ah right, that makes sense. I know that site, but didn't think of. I know not the smartes in the town.^^
I also wonder if people do more secure passwords for important services. Or do they treat it the same? My parents always used their birthday as password, so they do not forget it. Which not much more secure than 1234.
t3rmit3
in reply to thingsiplay • • •In my experience, most people have at most 2-3 passwords, and some do choose a "more secure" one for things like banking and work. Very few people use a password manager.
bryndos
in reply to Otter Raft • • •do they account for the circumstances?
most public wifi login pages get:
u: abc@def.com
p: qwerty
from me.
I assume those types of services get breached all the time and no one cares. I think they just want plausible deniability on acceptable use of the wifi.
Sibbo
in reply to Otter Raft • • •like this
rem26_art and Quantumantics like this.
smeg
in reply to Sibbo • • •SanctimoniousApe
in reply to Otter Raft • • •Okay, so how valid is this really if they're only using those passwords that were hacked?
t3rmit3
in reply to SanctimoniousApe • • •It's very valid. The password dumps they're analyzing aren't based on attackers brute-force, they're based on attackers breaching sites' backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.
Sort this list by year, and you can see there's tens of millions of leaked passwords in 2025 alone: haveibeenpwned.com/PwnedWebsit…
Have I Been Pwned: Who's Been Pwned
Have I Been PwnedSanctimoniousApe
in reply to t3rmit3 • • •rekabis
in reply to Otter Raft • • •glibg
in reply to Otter Raft • • •theworldinyourhand
Really? is that from something?
Sims
in reply to glibg • • •pruwyben
in reply to Otter Raft • • •Sims
in reply to Otter Raft • • •Echo Dot
in reply to Otter Raft • • •For the longest time the admin password for the router at work was
PasswordReset.124, the useless penetration testers didn't even pick up on it.I've changed it to something actually random and then, following established industry standard security practises, somebody else has gone and written it on a post-it note, and stuck it to the router. So we're all fine now.
I'm extremely tempted to "hack" the network and bring it down only to be the hero that brings it back up after a few hours of non-productivity. But I feel like if they found out that might be a firing offence.
🦄🦄🦄
in reply to Echo Dot • • •Echo Dot
in reply to Otter Raft • • •There was a post on here a while ago about the most popular four digit PIN numbers. I think the top five were
1234
7890
1212
1111
And 1701
We're are all so original
AAA
in reply to Echo Dot • • •Tomtits
in reply to Echo Dot • • •HubertManne
in reply to Otter Raft • • •