The award for the most common password of 2025 wasn't anything complex. In fact, anyone could guess it: 123456.
That's it. No special characters. No uppercase letters. No unique combinations. Just six sequential digits standing between attackers and your sensitive data.
A basic phishing kit, credential stuffing bot, or low-effort brute force attack could crack that weak combination in seconds. Research shows that password cracking succeeded in 46% of environments in 2025—not exactly reassuring news for businesses tasked with securing user accounts and reducing risk.
Key Finding
A recent study of over 19 billion newly exposed passwords found that 94% of passwords are reused or duplicated. It takes just one employee using a weak, predictable, or previously breached credential for attackers to gain access.
The 10 Most Common Passwords of 2025
Enforcing password hygiene and policies is a foundational step in reducing the overall attack surface, yet it remains the control most organisations ignore until a compromised account turns into a full-scale data breach.
If any of these passwords look familiar, your organisation could be at serious risk. Even in 2025, weak passwords remain a top threat for businesses and IT teams across the UK.
Cyber Attacks That Exploit Weak Passwords
Weak passwords are exactly what threat actors look for when scanning for easy entry points into your critical infrastructure. Here are the most common attack methods:
Brute Force Attacks
Attackers systematically attempt every possible character combination using automated tools. Research shows password cracking succeeded in 46% of environments in 2025.
Dictionary Attacks
Hackers use precompiled lists of common words and password patterns, often sourced from previous data breaches, to rapidly guess credentials.
Credential Stuffing
Automated attacks where threat actors take previously leaked username-password pairs and systematically test them across multiple websites and services.
Best Practices to Improve Password Security
The best form of security is proactive. Here are several best practices to safeguard your passwords and reduce your exposure across attack paths.
Enforce Strong Password Policies
Require passwords of at least 16 characters with a mix of uppercase, lowercase, numbers, and special characters. Avoid dictionary words and predictable sequences.
Implement Multi-Factor Authentication
MFA prevents leaked credentials from being exploited by requiring additional verification factors such as biometrics, security keys, or one-time passcodes.
Invest in Security Awareness Training
Educate employees on phishing risks, credential theft, and weak password practices. Regular phishing simulations reinforce secure behaviours.
Monitor for Credential Exposure
Continuously scan the dark web for leaked credentials and compromised accounts. Early detection prevents attackers from exploiting stolen data.
What Makes a Strong Password?
- At least 16 characters long
- Mix of uppercase and lowercase letters
- Include numbers and special characters
- Avoid dictionary words and predictable sequences
- Never reuse passwords across different accounts
How Graphite IT Can Help Protect Your Business
Don't make an attacker's job easy by relying on predictable or commonly used passwords. Graphite IT provides comprehensive cyber security services through our KyberONE platform, which includes:
- Dark web monitoring to detect leaked credentials
- Security awareness training for your team
- Phishing simulations to test employee resilience
- MFA policy enforcement across your organisation
- 24/7 SOC monitoring for suspicious activity
Learn more about our cyber security services and how we can help protect your business from credential-based attacks.