The most unbelievable cyber statistic of 2025?

By Professor Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner

It’s look-back season again. Time to dust off old favourites like the World’s Most Surveilled Cities along with some seasonal newcomers like the Best Law of the Year (my vote goes to robot chicken fights).  

Compiling the end-of-year list has become a perennial cross-cultural ritual. Even if they’re factually dubious or arithmetically suspect, the whole point of these mostly pointless tables is that they change. The entertainment is in their revelation. But one ranked list comes out every year – and every year it’s the same list. In fact, it’s scarcely changed for decades. And here it is again. With over 21.5 million appearances, the world’s most used security password for 2025 was (drum roll):  “123456”. The runner up was – once again – “admin” having reportedly been used by more than 21 million accounts last year.

This is simply staggering, and not just because the passwords are so guessable. Most unbelievable is not the list itself but the fact that it doesn’t change. Every year it’s the same ‘winners’, despite billions of dollars’ investment in the tech and acres of column inches and advice against using weak passwords, or passwords at all.

At the close of a year when the audacious heist at the Louvre was assisted by the security system’s password being ‘Password’, the annual Nordpass survey shouldn’t come as a surprise to many.

Subscribers to Biometric Update get to learn of the latest risks to digital security and the leading-edge technology being developed to combat it. We hear daily from cyber-genius thought leaders and biometric tech wizards about how they are designing, developing and deploying countermeasures to hold back the tide of cyber and phishing attacks. With ever more fiendishly inventive scams, hostile state penetration and common vulnerabilities and exposures (CVE) leaving the person in the street aghast, experts harness their intellectual and technological horsepower to protect us year-round.

And yet the 2025 Most Used Password list brings only glad tidings to the most hapless hackers. The Nordpass statistics show how the Hollywood image of an evil genius hunched over a screen running fiendish ‘dictionary attacks’ isn’t even close to our biggest threat – and why a teenager with a first-gen laptop still has a better-than-even chance of hitting a digital jackpot. With text-based passwords like “Demo@123” still at the top of the year’s lists globally, from India, the USA, Germany and Australia, would-be cyber criminals don’t need to be John the Ripper sifting salting protocols in order to succeed. And our continued use of one password across multiple devices and accounts makes their life easier still.

Beyond all the personal accounts that will be vulnerable in the coming year, and the abject loss and misery that hacking and phishing will cause, our carelessness opens up wider physical vulnerabilities. In devices like internet protocol (IP) cameras, passwords can give remote access to streets and offices and home security systems without any hacker credentials or know-how.

And the list doesn’t just cover us as individual tech consumers. People in government who guide us on how to keep safe are also prone to the same counter-intuitive behaviour. Research shows that public agencies and organisations are still making the same basic password blunders as we are. Findings in another recent report show how over 53,000 passwords associated with U.S. government email domains were exposed in public sources since the start of last year. Covering more than 5,500 public-sector institutions across six countries – the United States, United Kingdom, France, Italy, Germany, and Canada – researchers found over 91,000 ‘exposed passwords’ since early 2024.

Every year all the available advice tells us consistently that we should be continuously monitoring security credentials, regularly screening agency domains for any data leaks and rigidly enforcing the use of unique passwords across all our systems. And every year we seem to do the opposite. Why we do this may be an interesting question for the psychologists and their theories of futile persistence; for those involved in data security it doesn’t really matter. The statistics speak for themselves.    

Compromised, weak and reused passwords accounted for some 80 per cent of data breaches once again this year. Perhaps next year Nordpass could sponsor an annual award for the country that most improved what Karolis Arbaciauskas calls “password hygiene”. A New Year’s resolution for 2026 for us all might be to use readily available password managers like Apple’s iCloud Keychain and Android’s Google Password Manager to generate and store complicated passwords. Better still would be to ditch the password altogether and adopt two-factor authentication (2FA) for email and online accounts, ‘layering’ our security protection, or passkeys which offer another option that can’t be leaked, stolen or bypassed.

Cyber security experts see the biggest encryption threat on the horizon as coming from post-quantum computing (PQC). In reality, the biggest threat is from our own ritualised behaviour and there’s a bleak midwinter message here – if we don’t change our routines we will remain in an annual cyber doom loop in spite of all the technological advances being made in cyber protection.   

As 2025 draws to a close, the sector is preparing for the coming year. For my part, I’m compiling a list of ‘20 Things That Will be Obsolete Next Year’ – alongside keys, wallets and privacy, I wish I could include passwords but I think that’s a little optimistic.

We righteously insist on there being a human in the loop to curb the excesses of AI domination, but what kind of safeguard comes from this level of inanity? If you want to make a robot laugh this year, tell it your password.

About the author

Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner, is Professor of Governance and National Security at CENTRIC (Centre for Excellence in Terrorism, Resilience, Intelligence & Organised Crime Research) and a non-executive director at Facewatch.

Article Topics

biometrics  |  cybersecurity  |  digital identity  |  Fraser Sampson  |  video surveillance