Passwords are one of those things we all rely on every day, but rarely give much thought to. They protect your emails, your accounts, your systems and your business as a whole. Yet despite this, most people still use passwords that are shockingly easy to guess.

At Edmondson's, we see this all the time. Weak passwords are one of the most common entry points for cyber-attackers, yet they’re one of the simplest problems to fix.

So let’s look at some of the most common passwords people use, why they don’t work, and what you should be using instead.

The Most Common Passwords

Every year, security researchers release lists of the most used passwords worldwide. While the exact rankings change, the same names appear again and again.

The 20 most used passwords in the UK last year (2025) were:

1. admin (used 99,916 times)
2. 123456 (used 63,698 times)
3. password (used 58,355 times)
4. 12345678 (used 22,025 times)
5. 123456789 (used 18,733 times)
6. Password1 (used 17,094 times)
7. Password (used 15,057 times)
8. 12345 (used 12,555 times)
9. Lennon11 (used 9,214 times)
10. 1234567890 (used 8,150 times)
11. Password123 (used 7,773 times)
12. Fortnite21 (used 7,669 times)
13. password1 (used 7,180 times)
14. qwerty123 (used 7,146 times)
15. qwerty (used 6,970 times)
16. 123qwe (used 6,801 times)
17. abc123 (used 6,633 times)
18. Strongman12 (used 6,607 times)
19. daday123 (used 6,429 times)
20. Liverpool1 (used 5,897 times)

(Data from NordPass 2025 Report)

These passwords are popular because they’re easy to remember. Unfortunately, they’re also easy to guess. Modern hacking tools can test millions of passwords per second, and these common choices can be cracked almost instantly.

If your password appears in the list above or is very similar to any of these, we’d recommend changing it straight away.

Why Weak Passwords Are Such a Big Risk

Many people assume hackers target big corporations, not small businesses. In reality, small and medium-sized businesses are often easier targets because security’s usually less strict.

A weak password can lead to:

• Access to email accounts, which can then be used for phishing
• Access to cloud systems like Microsoft 365 or Google Workspace
• Stolen customer data
• Financial fraud through invoice scams
• Complete system lockouts through ransomware

Once someone gets into one account, they often move sideways through your systems. If staff reuse the same password everywhere, one breach can quickly turn into several.

What Makes a Good Password?

A strong password should be:

• Long - At least 12 characters
• Unique - Never reused across systems
• Hard to Guess - Not based on personal info
• Random - No real words or patterns

Longer passwords are far more secure than short complex ones, because they take much longer to crack.

Safer Alternatives That Actually Work

The problem with strong passwords is that people struggle to remember them. That’s where these tools can help:

Use a Password Manager
Password managers like Bitwarden, 1Password or LastPass generate and store strong passwords for you. You only need to remember one master password, and the rest are handled securely.

Enable Multi-Factor Authentication
This adds an extra step like a code on your phone or a fingerprint. Even if someone steals your password, they still cannot log in without the second factor.

Use Passphrases Instead of Single Words
A sentence is easier to remember and far more secure than a single word with a number on the end.

Never Reuse Passwords
This is one of the biggest mistakes people make. Every system should have its own unique password.

The Business Impact of Poor Password Habits

From an IT support perspective, password issues cause more problems than almost anything else. We regularly see:

• Shared passwords across teams
• Old staff accounts still active
• Passwords written on sticky notes
• The same login used for email, CRM and remote access

These habits might feel convenient, but they massively increase risk. One compromised account can easily lead to downtime, data loss and serious reputational damage.

At Edmondson's, one of the first things we review during an IT health check is password policy. Simple changes can dramatically reduce your exposure to cyber threats.

If you’re not sure how secure your systems really are, Edmondson's can help review your setup and put better protections in place before problems arise.