Despite decades of warnings, the way many people create their passwords has barely changed. Various reports continue to show that the most commonly used passwords are extremely simple. In Spain and other countries, some of the most common passwords in 2025 were:
- 123456
- admin
- 12345678
- 123456789
- 12345
- password
- 111111
The problem with these passwords isn't just that they're short, but also that they're predictable. Current attacks use automated techniques (brute force or dictionary attacks) that first try common combinations. This means that passwords like "123456" or "password" can be cracked in seconds or even less. Furthermore, password reuse multiplies the risk: if one account is compromised, attackers try the same password on other services, a factor that contributes to numerous security breaches.
It's worth remembering that recommendations for creating strong passwords are nothing new. For decades, many cybersecurity organizations have published guides on how to choose robust passwords. However, research into actual user behavior and the evolution of attacks has shown that some traditional rules didn't work as well as expected. For this reason, in recent years, organizations such as the NIST (National Institute of Standards and Technology) They have revised their guidelines and introduced important changes in the way they understand password security.
Before: strict rules and frequent changes
For many years, safety recommendations focused on three main ideas:
- Change your password every 60 or 90 days.
- Requiring complex combinations of capital letters, numbers, and symbols.
- Impose strict formatting rules.
For example, the policy of periodic password expiration every 90 days was a common recommendation in security standards for years. However, experience showed that these measures had unintended consequences: users tended to choose weaker passwords or make only minor modifications to their existing ones (for example, by adding a number to the end).
Now: fewer arbitrary rules, more efficiency
Current guidelines, such as those from NIST, have significantly changed the approach. Key current recommendations include:
- Do not demand periodic changes without evidence of commitment.
- Prioritize length over artificial complexity.
- Allow long phrases instead of hard-to-remember combinations.
For example, NIST recommends passwords of at least 15 characters and notes that multi-word phrases can be more secure and easier to remember. The paradigm shift is clear: the goal is no longer to force users to follow difficult rules, but to promote practices that actually improve security.
Current tips for creating secure passwords
Based on these recommendations and the accumulated evidence, the following is now considered good practice:
- Use long passwords or phrases (ideally 15 characters or more).
- Avoid common words, sequences, or personal information..
- Do not reuse passwords across services.
- Enable two-factor authentication whenever possible.
- Use password managers to generate unique and robust keys.
These measures significantly reduce the risk of unauthorized access.
The user's role: the decisive link
Cybersecurity is often thought to depend solely on systems or software, but evidence shows that the human factor remains crucial. Weak passwords, credential reuse, and basic oversights continue to be common causes of incidents in businesses and organizations.
However advanced security tools may be, the actual protection of systems depends largely on users' everyday decisions: how they create their passwords, how they manage them, and what practices they adopt. In this respect, awareness and training remain among the most effective and cost-efficient security measures for any organization.
