We are entering a reality in which passwords are going to stop being important that they have now. However, until that happens, it doesn’t cost you anything to check the passwords you have set for critical services such as your bank app or your email account, among others.
Millions of people around the world they continue betting on keys such as “1234”, “123456” and the like, which any attacker can exploit in less time than it takes to write them. Below these lines we have left you a list of the most frequent ones to encourage you to take a look at one of the pillars of our digital security.
We remain the same. Every year, cybersecurity company reports like NordPasswhich analyzes real data leaks extracted from security breaches and repositories of the dark webpublish the list of the most used passwords. And every year, the result is the same: predictable number sequences and keyboard combinations so obvious that it seems we haven’t learned our lesson.
Spain, without leaving the norm. If we filter the data by country, the list of most used passwords in Spain is not too surprising. According to NordPass‘admin’, ‘123456’ and ‘12345678’ are the three most used passwords in Spain.
In the Visual Capitalist chart that we shared with you last year, one of the most used in our country is ‘Spain’, which yes, is somewhat more resistant, but it is another one that would take a hacker a few minutes to decipher and which is still a key that no one should use. In the NordPass report, it is curious that further down the list appear passwords like ‘Nacho2006’, ‘1234ivan’ or ‘Talocha1’, which are a little more resistant, but practically as simple and vulnerable.
Do you have any of these fixed?. On a global scale, the NordPass report ranks ‘123456’ as the most used password on the planet, with more than 21 million recorded uses. It is closely followed by ‘admin’, and ‘12345678’ with more than 8 million uses. Rounding out the global top 10 are ‘password’, ‘Aa123456’, ‘1234567890’, ‘Pass@123’, and ‘admin123’.
According to the Basque cybersecurity center ZIUR, which works for the Provincial Council of Gipuzkoa, the ten most popular passwords in the entire world fall in seconds.
Security gaps. The National Cybersecurity Institute (INCIBE) managed in 2025 a total of 122,223 cybersecurity incidents in Spain, which represents an increase of 26% compared to the previous year. Of those, nearly 46,000 were cases of online fraud, and phishing led that category with more than 25,000 cases.
Why a weak password is so dangerous. The most common attacks require no ingenuity or effort. Brute force programs They try thousands of combinations per second in an automated way, always starting with the most common ones. If your password is on any list of common passwords (and there are some in the public domain), you are practically unprotected.
“It is not necessary to change passwords periodically for no reason, but it is necessary to do so in case of any suspicion of compromise or after a security breach. A long and different password on each important site, saved in a manager and with double verification activated in the email and the bank, for example, protects an average user against the vast majority of common threats” counted María Penilla, director of ZIUR.
What makes a password really secure. It’s not about arbitrary complexity, but about length and unpredictability. Our recommendation: that it be at least 12 characters, combining upper and lower case letters, numbers and symbols. Keep in mind that a long, random phrase is harder to decipher than a short word with a number at the end. Length protects more than complexity.
That you can do if your password is on the list. Three steps in order of urgency:
- change it now in all the services where you use it, starting with email and your bank app. Reusing the same key on multiple sites multiplies the risk, because if your data is stolen on one platform, attackers will try that same combination on all the others.
- Activate two-step verification (2FA) where possible. Is the most effective measure to block unauthorized access even when someone knows your password.
- Use a password manager. There is no human way to memorize dozens of long and different keys without help. From Xataka we have recommended a fewsuch as NordPass, 1Password, KeePass, Bitwarden and many others. Some are paid, others are free, and others are free on one device but charge if you want to use the app on multiple devices at the same time.
Change your password when there are breaches. When you suspect that someone may know it, when the service where you use it suffers a security breach, or after a long time using it on sensitive sites, the best thing you can do is change it without detours. And if you want to check if your password has been compromised on any service, you can always use tools like HaveIBeenPwned and the like.
Cover image | Sasun Bughdaryan
GIPHY App Key not set. Please check settings