The password “123456” has ranked first for the sixth time in the past seven years. This is neither a coincidence nor a curiosity. It is a persistent problem that directly impacts organizational security and the success rate of cyberattacks.

What This Year’s Research Revealed

NordPass and NordStellar analyzed leaked credentials from public databases and the dark web covering the period from September 2024 to September 2025. The published results span 44 countries and include a generational comparison of user behavior, from Generation Z to the Silent Generation.

The key finding is that password quality remains poor across all age groups. The assumption that younger users, often referred to as digital natives, have better cybersecurity habits was not confirmed. Passwords such as “12345” and “123456” rank among the most commonly used across every generation. Weak passwords are therefore not a problem limited to a specific group of employees but represent a widespread risk for entire organizations.

Why Credential Security Remains an Overlooked Layer of Defense

Most organizations today invest in detection tools, EDR solutions, and network segmentation. However, the protection of credentials often remains one of the weaker elements of a security strategy. This is not because organizations are unaware of the risks, but because the consequences of neglecting credential security are not always immediately visible.

Attackers understand this very well. Credential stuffing, the automated testing of credentials from leaked databases against other services, remains one of the most common initial access techniques. The cost of such attacks is extremely low. Leaked databases are often freely available, as are the tools used to automate testing. If an employee reuses the same password for both personal and corporate accounts, a breach of an unrelated service can ultimately lead to the compromise of the corporate environment.

Special attention should be paid to service and administrative accounts. Default or long-unchanged passwords continue to appear on network devices, servers, and internal tools, even in organizations with otherwise mature security policies. These accounts typically hold the highest privileges, making their compromise particularly damaging.

Technical Controls That Make a Real Difference

Multi-Factor Authentication

Multi-factor authentication (MFA) should be the standard for all internet-accessible services. This includes VPN access, email services, cloud applications, and internal portals. For privileged accounts, organizations should prioritize phishing-resistant authentication methods such as FIDO2 security keys or passkeys.

Centralized Password Management and SSO

An enterprise password manager combined with a Single Sign-On (SSO) solution reduces the number of passwords users must manage manually. This significantly lowers the risk of password reuse and the creation of weak password combinations.

Monitoring for Leaked Credentials

Monitoring corporate domains against databases of leaked credentials enables organizations to identify issues before attackers attempt to exploit them. Integrating such sources into security monitoring helps organizations respond proactively.

Auditing Privileged Accounts and Service Identities

Regular inventories of administrative accounts, service identities, and API keys help identify forgotten or improperly configured accounts. These often fall outside standard access management processes and can represent significant security risks.

The Gap Between Policy and Reality

NordPass data confirms what security professionals have observed for years. Despite extensive awareness campaigns and training efforts, user behavior has changed only marginally. This does not mean that security awareness programs are ineffective. Rather, it highlights the need to move from a model based primarily on education to one where secure behavior is enforced through technology.

Technical enforcement of password policies, prevention of password reuse, integration of credential leak monitoring services, and regular penetration testing focused on credential-based attacks are among the measures that can meaningfully improve an organization’s security posture regardless of individual user decisions.

At Citadelo, we regularly observe during red teaming exercises and penetration tests that weak or reused credentials remain one of the most successful vectors for initial access. This is true even in organizations with otherwise mature security programs. Credential security is therefore an area worth assessing before an attacker does.