New study reveals list of world’s most hackable passwords

If your password is 123456, you're at risk. The email audit engine analysed 4.3 TB of breached data from Have I Been Pwned and discovered that a simple sequence has been exposed in nearly 210 million compromised accounts globally. On World Password Day, experts are urging millions of Britons to abandon passwords that can be guessed in seconds.

The numbers are alarming. A Kaspersky report found that any password with 8 characters or fewer can be cracked in just 17 seconds. Most of us aren't even close to safe.

World's most hackable passwords

The research shows that after 123456, the next most common exposed passwords are 123456789 and 12345678, variations that add barely a moment of cracking time. “Password” and “admin” pretty much round out the global top five, used by millions even though they’re the first guesses any attacker would usually try.

Beyond that, the most popular names slipped into passwords are Daniel, Michael, Jessica, Thomas, and Michelle. Fictional characters also show up a lot: Superman, Naruto, Batman, Tigger, and Snoopy. Liverpool Football Club turns up in 1.7 million exposed passwords, while the rock band Blink-182 appears in 1.6 million.

NordPass's sixth annual report analysing UK password habits reveals the problem is worse closer to home. Admin leads the British list, followed by 123456 and the word “password" itself. "Password1", "Fortnite21", and "qwerty123" complete the top entries. The database analysed was massive, equivalent to 6,142 compact discs of stolen credential data extracted from dark web leaks.

The data is from 2025, but experts warn that most people haven't changed their passwords since then. If your password appears on this list, the time to change it is now.

Length matters more than complexity. Eight-character passwords crumble in 17 seconds. A password with 12 characters and variety in uppercase, lowercase, numbers, and symbols becomes exponentially harder to crack.