One of the most persistent and underestimated cybersecurity risks is near-identical password reuse. This is the practice of adding or changing a character in an existing password, instead of creating a unique password.
To highlight the evident risks, a NordPass survey shows that 62% of U.S. workers, 60% of UK employees, and 50% of German workers admit they reuse passwords across multiple online accounts.
When a new password is needed, people often just add a letter or a number to secure the new account. Analysis of passwords leaked to the dark web tells the same story. The “Top 200 most common passwords 2025” list is populated with nearly identical passwords. Researchers found 119 such passwords in the list.
From “admin” to “admin1” — why hackers love minor tweaks in your login credentials
The new analysis reveals that a common habit of making small tweaks to existing passwords — such as adding a number or changing a symbol in an existing password, instead of creating a unique one — is a massive security risk that hackers easily exploit.
Despite company policies and security training, this widespread practice of using near-identical passwords remains one of the biggest, most underestimated threats, the survey finds.
This risky behaviour is indeed widespread. NordPass’ password reuse survey reveals that too many people reuse passwords across multiple online accounts. On average (mean), people reuse passwords for about five accounts, with one-fifth admitting to reusing them for 10 or more accounts.
Adding a letter, a number, or a symbol
According to the survey data, 68% of people who reuse passwords make at least some changes before reusing them. The most common change is adding or changing a number, symbol, or letter.
This a lax approach to security can result in stolen data or an emptied bank account, and a lot of anxiety. The problem is that in many firms, this practice, technically does not violate most password policies, and it often stays unnoticed by administrators. This way, it can become an entry point for threat actors, who would gladly extort or blackmail the company.”
Most common variations
In the “Top 200 most common passwords 2025” list, researchers found 119 nearly identical passwords, which were divided into seven approximate groups:
- Sequential number variations. Examples: 12345, 123456, 1234567,987654321.
- “Admin” variations. Examples: admin, Admin, adminadmin, admin123.
- “Password” variations. Example: password, Password1, p@ssw0rd, Passw0rd.
- Keyboard pattern variations. Examples: qwerty, qwerty123, abcd1234, Abcd@1234.
- Repetitive pattern variations. Examples: 11111111, 111111111, aa112233, aabb1122.
- Common word variations. Examples: welcome, Welcome1, test123, Test@123.
- Prefix/suffix variations. Examples: a123456, Aa123456, Aa@123456, 12345678a.
The most numerous groups are sequential number variations, keyboard pattern variations, and repetitive pattern variations.
Why do people reuse passwords?
A third of users who reuse passwords say they do it because they have too many accounts to manage different passwords for each one. About 25% say that they find it inconvenient to create and manage unique passwords.
In other words, people reuse passwords because it’s easier that way. The average person has around 170 passwords. Remembering unique passwords for all of them is simply not realistic.
Password safety tips
According to the research, a few general rules can greatly improve digital hygiene and help avoid falling victim to cyberattacks due to ineffective password management are:
- Security training. Many companies are already doing this. Although this doesn’t always work — sometimes even cybersecurity professionals get fooled — training bears fruit. Companies that run regular security workshops experience fewer cases of reused credentials, and employees often use this knowledge in personal life.
- Password policies and technologies. Companies should have robust password policies. Ideally, the company’s system would automatically compare newly created passwords with those already leaked on the dark web and prevent the creation of one that is the same or very similar to the one already leaked. It’s best to use password generators for both personal and work accounts.
- Multi‑factor authentication (MFA). So far, this is the most reliable and convenient way to provide additional protection for business and personal accounts. MFA, which requires you to provide a one-time code when logging in, can stop account takeover even when the threat actors have your password.
- Password manager. It can help you generate, store, manage, and safely share passwords. A password manager removes the need to rely on memory altogether. Instead of trying to come up with something clever or easy to remember it creates long, random passwords that don’t follow patterns. And you don’t need to remember them — just autofill or copy paste.
- Consider passkeys. A passkey pairs public‑key cryptography with device biometrics, so there’s nothing to type, nothing to forget, and nothing to reuse. Although adoption is somewhat slower than expected, many major platforms already support them. Where passkeys are unavailable, turn on MFA.
Overall, sophisticated password protection is essential for securing sensitive information and preventing unauthorised access.
