- Businesses still haven’t stopped using easily crackable passwords
- Germany, the US, and China suffer the most password breaches
- 123456, password, and qwerty are still being used in 2025
Many businesses are still using weak passwords that can be cracked in less than a second in the event of a brute force attack to secure their accounts, new research from one of the best password managers, NordPass, has found.
Passwords such as ‘123456’, ‘secret’, and even ‘password’ are being used by thousands of businesses across the world, resulting in easy picking for hackers.
The research also found Germany was top in the world for password breaches, with 582,067 incidents, closely followed by the US with 502,435, and China at 448,375.
The password is ‘password’
NordPass’ research used a 2.5 terabyte database compiled from numerous publicly available data sets, including some from the dark web that covered 11 industries.
For enterprise, the most common password in the database was ‘123456789’ with 378,182 uses, followed by the much easier to remember ‘123456’ with 356,341 uses, and just to round it all out ‘12345678’ comes in third with 145,688 uses.
Small and medium businesses don’t fare much better, with ‘123456’ topping the list for both with a total of 852,861 across both business sizes. Other classic passwords such as ‘qwerty123’, ‘abc123’, and ‘iloveyou’ also appear on the list, taking less than one second to crack.
Interestingly, the 28th most used password in NordPass’ dataset was ‘TimeLord12’, possibly suggesting that an IT worker with a love for Peter Capaldi’s work as the twelfth Doctor in Doctor Who was in charge of creating over 30,447 accounts that were later exposed.
NordPass also found many users who didn’t use the most common passwords would often use their own email address as their password, making it fairly easy for an attacker to crack their accounts. Names were also a common inclusion in the database, suggesting that employees were using their own names as a password.
If you’ve seen your password somewhere in this article or in NordPass’ research, it might be time to change it to something more secure, lest you be responsible for a breach.
In order to better protect corporate accounts, businesses should put in place password creation rules that make it harder to use simple passwords that can be easily cracked. NordPass also offers a business password manager tier to help businesses generate and store passwords securely.
Businesses should also implement two-factor authentication when signing in to accounts to help verify that the person accessing the account is a legitimate user, and not a crook with stolen credentials. Businesses can also switch over to using passkeys, which use secure authentication to log in without the need to remember complex passwords.
