Despite growing awareness of cybersecurity risks, millions of users continue to use one of the weakest possible passwords: “123456”. Researchers reviewing billions of leaked credentials found that this simple sequence still tops the list of most-used passwords. The study analysed over 2 billion exposed accounts and found that “123456” alone appeared in more than 7.6 million cases. Other commonly used choices included “12345678”, “123456789”, “admin”, “password” and “India@123”. These patterns reveal a persistent reliance on trivial and easily guessable credentials.
Security experts point out that using sequential numbers offers almost no resistance against brute-force attacks or simple guessing methods. Modern hacking tools can test such combinations within seconds. In contrast, passwords that include a mix of letters, numbers and special characters, and avoid dictionary words or common phrases, offer much stronger protection.
One significant risk emerges from password reuse. If someone uses “123456” for multiple accounts, a breach of one platform can expose every service tied to that credential. Attackers often exploit this domino effect to gain wider access once a weak password is known. Another concern involves cultural and regional patterns. The data revealed that in India, “India@123” ranked among the top 100 most common passwords, reflecting a blend of national identity and predictable structure. This highlights how localisation doesn’t guarantee unique or strong credentials.
Successful password practices require more than choosing a long string. Experts recommend using at least twelve characters, avoiding common words or sequences, mixing case and including symbols. Ideally, each account should have a unique password, and users should enable multi-factor authentication where possible.
From a broader perspective, the persistence of “123456” in 2025 suggests that user education and system-level safeguards still have significant ground to cover. Organisations responsible for handling user credentials must implement forced password strength checks, password blacklists and periodic prompts for resets. Meanwhile, users should consider password managers to generate and store complex credentials. Convenience should not trump security. Choosing “123456” remains akin to leaving the front door unlocked. Upgrading that behaviour today reduces risk for tomorrow.
