Nord Security 2025 Report: Is Your Password a Threat?

In the Top 200 Most Common Passwords list, we still see the usual suspects: “123456,” “12345678,” “12345,” “password,” and especially “admin.” The fact that “admin” keeps appearing near the top is particularly alarming. It means people are still using it for accounts that provide access to technical or administrative interfaces. In other words, we’re talking about sensitive areas where a basic password opens far too many doors.

And these passwords can be cracked in an instant. Studies show it can take only a fraction of a second to break such predictable combinations. It’s like leaving your front door wide open for hackers and inviting them to walk right in.

What’s surprising is that this behavior doesn’t vary by age. From teenagers to seniors, the same weak passwords show up again and again. The issue isn’t generational or related to digital literacy. It’s the absence of a real security culture in our day-to-day habits.

And in a professional environment, the impact is even greater. A weak password used for a server, a database, or an administrative access point can put an entire system at risk. It’s no longer just a matter of personal access. It opens the door to risks that affect an entire organization.

How to Build Better Authentication Habits

Given this reality, it’s worth revisiting our practices. Here are a few essential habits to strengthen the security of your personal and professional accounts.

Create strong and complex passwords

A good password ideally combines uppercase and lowercase letters, numbers, and symbols, with enough length to make it hard to guess. Even better: use a long and unique passphrase, sometimes even a playful one, that’s easy to remember and hard to crack.

Avoid reuse and increase length

Each account should have its own password—or better yet, its own passphrase. This prevents an attacker from jumping from one service to another if one of them is compromised and makes unauthorized access much harder for malicious actors.

Enable multifactor authentication (MFA) whenever possible

MFA (or 2FA) adds a second layer of protection. Even if a password leaks, accessing the account becomes much more difficult.

Use a password manager

A tool like NordPass can generate, store, and organize unique passwords for all your accounts. You don’t have to remember anything, which makes good habits much easier to adopt. And most importantly, it prevents a domino effect if a password ends up in the wrong hands.

Regularly update sensitive passwords

For critical, technical, or administrative access, it’s best to act as soon as a password seems too simple or has been reused for too long. Some tools also let you check whether a password has appeared in a known breach. If it has, it should be changed immediately.

Eliminate weak passwords entirely in technical environments

“admin,” “password,” “123456” should never be used on an account with elevated privileges or access to important resources. It may seem like a small mistake, but the consequences can be significant.

Adopt passwordless authentication

More and more services now offer the option to sign in without a password, using a physical security key, biometric authentication, or a login link sent by email. These methods reduce the risks associated with weak or reused passwords and make everyday access easier. When the option is available, it’s really worth turning it on.

Read also: Do we still need passwords?

In 2025, we know threats evolve quickly. Yet simple habits remain some of our best protection tools. Every strong password, every activated MFA, every password manager adopted strengthens the security of our data and our organizations. It’s a discipline that starts with small habits but creates long-lasting impact.