Facepalm: There's a long-standing stereotype that the older someone is, the less tech-savvy they are. But it appears that this generalization isn't always accurate, especially when it comes to passwords. However, the universal constant between all generations is that most people still pick crap credentials.
The latest common password list comes from NordPass – its seventh edition of the annual report. The company decided to do something a little different this year by including the most popular passwords among multiple generations.
All the groups' passwords are bad, of course, but some generations are slightly worse than others.
You might expect Generation Z – those born between 1997 and 2007 – to have the most secure passwords, having grown up during the internet age. But the group appears to be the worst of the bunch.
The pathetic '12345' is the most common entry among the youngest group. Sequential numbers starting from 1 appear six times in the top ten, while the ever-awful 'password' is fifth. There are some age-appropriate entries, such as 'skibidi' and 'assword.'
Millennials (1981 – 1996) don't fare much better, but at least the most popular password here has an extra digit (123456). Sequential numbers make up most of this list, though it also includes the mildly-harder-to-guess Contraseña and mustufaj.
More names appear in the Gen X (1965 – 1980) list, and they make up seven of the top Baby boomer (1946 – 1964) entries. Even the Silent generation (born before 1946) prefers to use names over numbers.
NordPass notes that variations of the most common first names and surnames in each country often appear in the region's most-popular passwords lists, e.g., kristian123.
The fact that 12345 or 123456 were the most popular choices among all generations is a sadly familiar sight. It was only earlier this month when Comparitech's password list, aggregated from more than 2 billion real account passwords, showed that 123456 was the most commonly used.
NordPass worked with NordStellar on the report, analysing public data breaches and dark web repositories from September 2024 to September 2025 to identify statistically aggregated data. Corresponding metadata, including dates of birth where applicable, were reviewed to assign passwords to age groups.