Passwords play a huge role in how you stay safe online. They protect your accounts, devices and money. Still, many people pick logins that criminals can guess in seconds. 

The latest NordPass report shows this problem again. This year, “admin” took the top spot as the most common password in the United States.

NordPass and NordStellar, two cybersecurity companies that track leaked credentials and online threats, reviewed millions of exposed passwords to spot trends. They also examined how password habits differ across generations. The pattern is clear: many of us still rely on simple words, easy number strings and familiar keyboard patterns. These choices give attackers a quick path into countless accounts.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

183 MILLION EMAIL PASSWORDS LEAKED: CHECK YOURS NOW

Most common passwords in the United States

NordPass shared its top 20 list for 2025. “Admin” sits at number one. Variations of the word “password” take up five spots. Number strings appear nine times. One explicit term even made the list.

Here are the 20 most common passwords in the USA this year:

• admin
• password
• 123456
• 12345678
• 123456789
• 12345
• Password
• 12345678910
• Gmail.12345
• Password1
• Aa123456
• f*******t
• 1234567890
• abc123
• Welcome1
• Password1!
• password1
• 1234567
• 111111
• 123123

Weak logins remain a major problem because criminals rely on automated tools. These tools try simple words and common patterns first. When millions of people reuse the same easy passwords, attackers succeed fast.

HOW TO USE PASSKEYS TO KEEP YOUR COMPUTER SAFE

Global trends show the same risky password behavior

The United States is not alone. Globally, “123456” ranks as the most common password. “Admin” and “12345678” follow closely behind. These patterns appear because they are easy to remember. Sadly, they are also easy to crack.

Researchers noticed one shift worth noting: more passwords now include special characters. The increase is sharp. However, most examples remain weak. Strings like P@ssw0rd and Abcd@1234 still follow predictable rules that tools can break with little effort.

The word “password” stays popular around the world. People even use it in local languages. This shows how widespread the problem is.

Why younger generations still make unsafe password choices

Many people assume younger adults understand digital safety. They grew up with phones and social media. Research shows that this assumption is wrong.

NordPass found that an 18-year-old often picks the same weak password patterns as an 80-year-old. Younger users favor long number sequences. Older users lean toward names. Neither group creates secure or random strings. Generations Z and Y tend to avoid names. Generations X and older use them often. Each approach carries risk because attackers expect both patterns.

AI-POWERED SCAMS TARGET KIDS WHILE PARENTS STAY SILENT

Why weak passwords remain a big threat

Weak passwords fuel data breaches and account takeovers. Criminals run scripts that check billions of combinations every second. When your password is common, they break in fast.

A single stolen login can expose your email, social accounts, bank information and more. Many attacks start this way. Once criminals get inside one account, they often try the same password on others.

Steps to stay safe with your passwords 

You can improve your digital safety with a few simple habits. These steps help block common attacks and protect your accounts.

1) Create strong random passwords

Pick long passwords or short passphrases. Aim for at least 20 characters. Mix letters, numbers and special characters. Avoid patterns. 

2) Avoid password reuse

Use a unique password for each account. If one login gets hacked, the others stay safe.

3) Review and update weak passwords

Check your old logins. Replace anything short, predictable or reused. Fresh passwords lower your risk.

4) Use a password manager

A password manager creates secure passwords and stores them safely. It also fills them in for you, so you do not need to remember them.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials. 

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Turn on multi-factor authentication (MFA)

MFA adds a second check before you log in. It is one of the easiest ways to block attackers.

6) Keep your software updated

Update your phone, computer browsers and apps on a regular schedule. These updates patch security gaps that criminals try to exploit. When you fall behind on updates, weak passwords become even riskier because attackers can pair old software flaws with easy logins.

Pro Tip: Use a data removal service

Leaked passwords often come from old profiles on data broker sites you forgot about. A data removal service can wipe your personal info from those sites and reduce how much of your data ends up on breach lists. When less of your information is floating around online, your accounts become less tempting targets.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Kurt’s key takeaways 

Weak passwords remain a huge issue in 2025, even with new tools and better education. You have the power to improve your security with a few quick changes. When you build strong habits, you make it harder for criminals to get inside your accounts. Small steps add up fast and give you far more protection online.

What do you think keeps people stuck on weak passwords even when the risks are clear? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.

We’ve seen Sony’s DualSense Edge discounted on a few occasions this year, and now it’s back on sale ahead of Black Friday as part of Sony’s ongoing holiday promo. Right now, you can snag the pro-style gamepad in either black or white at Amazon, Walmart, and Best Buy for around $169 ($30 off), which is just $10 shy of its previous low. The black version of the DualSense Edge is seldom discounted by this much, so now’s a good time to pick one up if you prefer the stealthier look.

If you spend a lot of time gaming on the PlayStation 5, the DualSense Edge elevates the experience by offering more customization than Sony’s standard DualSense controller. For starters, its deep software integration with the PS5 lets you create up to four profiles, each with customization options for button mapping, stick sensitivity, and assigning commands to the rear buttons. You can create separate profiles for Ghost of Yōtei and Arc Raiders, for instance, and swap between them on the fly without having to leave your game.

In addition to custom profiles, the DualSense Edge lets you adjust the feel of the triggers (L2 and R2), so you can tailor them to specific play styles and games. You can set the triggers to be more sensitive for online shooters like Call of Duty: Black Ops 7, or less sensitive for racing games to achieve smoother acceleration and braking. Moreover, the Edge makes it easy to swap out stick modules in case one stops working.

As much as we enjoy how much you can customize the DualSense Edge, though, it’s not without its faults. In his review, The Verge’s Cameron Faulkner found that the controller averaged only about eight hours of battery life on a full charge, which is worse than the standard DualSense controller. It does, however, come with a long charging cable that can lock into the controller, preventing it from accidentally being yanked out.

Android users have been dealing with a steady rise in financial malware for years. Threats like Hydra, Anatsa and Octo have shown how attackers can take over a phone, read everything on the screen and drain accounts before you even notice anything wrong. Security updates have helped slow some of these strains, but malware authors keep adapting with new tricks. 

The latest variant spotted in circulation is one of the most capable yet. It can silence your phone, take screenshots of banking apps, read clipboard entries, and even automate crypto wallet transactions. This threat is now known as Android BankBot YNRK, and it is far more advanced than typical mobile malware.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter

How the malware infiltrates devices

HOW ANDROID MALWARE LETS THIEVES ACCESS YOUR ATM CASH

BankBot YNRK hides inside fake Android apps that appear legitimate when installed. In the samples analyzed by researchers at Cyfirma, the attackers used apps that impersonated official digital ID tools. Once installed, the malware begins profiling the device by collecting details such as brand, model and installed apps. It checks whether the device is an emulator to avoid automated security analysis. It also maps known models to screen resolutions, which helps it tailor its behavior to specific phones.

To blend in, the malware can disguise itself as Google News. It does this by changing its app name and icon, then loading the real news.google.com site inside a WebView. While the victim believes the app is genuine, the malware quietly runs its background services.

One of its first actions is to mute audio and notification alerts. This prevents victims from hearing incoming messages, alarms or calls that could signal unusual account activity. It then requests access to Accessibility Services. If granted, this allows the malware to interact with the device interface just like a user. From that point onward, it can press buttons, scroll through screens and read everything displayed on the device.

BankBot YNRK also adds itself as a Device Administrator app. This makes it harder to remove and helps it restart itself after a reboot. To maintain long-term access, it schedules recurring background jobs that relaunch the malware every few seconds as long as the phone is connected to the internet.

What does the malware steal

Once the malware receives commands from its remote server, it gains near-complete control of the phone. It sends device information and installed app lists to the attackers, then receives a list of financial apps it should target. This list includes major banking apps used in Vietnam, Malaysia, Indonesia and India, along with several global cryptocurrency wallets.

With Accessibility permissions enabled, the malware can read everything shown on the screen. It captures UI metadata such as text, view IDs and button positions. This helps it reconstruct a simplified version of any app’s interface. Using this data, it can enter login details, swipe through menus or confirm transfers. It can also set text inside fields, install or remove apps, take photos, send SMS, turn call forwarding on and open banking apps in the background while the screen appears inactive.

In cryptocurrency wallets, the malware acts like an automated bot. It can open apps such as Exodus or MetaMask, read balances and seed phrases, dismiss biometric prompts, and carry out transactions. Because all actions happen through Accessibility, the attacker never needs your passwords or PINs. Anything visible on the screen is enough.

The malware also monitors the clipboard, so if users copy OTPs, account numbers or crypto keys, the data is immediately sent to the attackers. With call forwarding enabled, incoming bank verification calls can be silently redirected. All of these actions happen within seconds of the malware activating.

7 steps you can take to stay safe from banking malware

Banking trojans are getting harder to spot, but a few simple habits can reduce the chances of your phone getting compromised. Here are seven practical steps that help you stay protected. 

FBI WARNS OVER 1 MILLION ANDROID DEVICES HIJACKED BY MALWARE

1) Install strong antivirus software

Strong antivirus software helps catch trouble early by spotting suspicious behavior before it harms your Android device or exposes your data. It checks apps as you install them, alerts you to risky permissions and blocks known malware threats. Many top antivirus options also scan links and messages for danger, which adds an important layer of protection when scams move fast.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

2) Use a data-removal service to shrink your digital footprint

Data brokers quietly collect and sell your personal details, which helps scammers target you with more convincing attacks. A reputable data-removal service can find and delete your information from dozens of sites so that criminals have less to work with. This reduces spam, phishing attempts and the chances of ending up on a malware attack list.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

3) Install apps only from trusted sources

Avoid downloading APKs from random websites, forwarded messages or social media posts. Most banking malware spreads through sideloaded apps that look official but contain hidden code. The Play Store is not perfect, but it offers scanning, app verification and regular take-downs that greatly reduce the risk of installing infected apps.

4) Keep your device and apps updated

System updates often patch security issues that attackers exploit to bypass protections. Updating your apps is just as important, since outdated versions may contain weaknesses. Turn on automatic updates so that your device stays protected without you having to check manually.

5) Use a strong password manager

A password manager helps you create long, unique passwords for every account. It also saves you from typing passwords directly into apps, which reduces the chance of malware capturing them from your clipboard or keystrokes. If one password gets exposed, the rest of your accounts remain safe.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials. 

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com

6) Enable two-factor authentication wherever possible

2FA adds a confirmation step through an OTP, authenticator app or hardware key. Even if attackers steal your login details, they still need this second step to get in. It cannot stop malware that takes over your device, but it significantly limits how far an attacker can go with stolen credentials.

GOOGLE ISSUES WARNING ON FAKE VPN APPS

7) Review app permissions and installed apps regularly

Malware often abuses permissions such as Accessibility or Device Admin because they allow deep control over your phone. Check your settings to see which apps have these permissions and remove anything that looks unfamiliar. Also, look through your installed apps and uninstall any tool or service you do not remember adding. Regular reviews help you spot threats early before they can steal data.

Kurt’s key takeaway

BankBot YNRK is one of the most capable Android banking threats discovered recently. It combines device profiling, strong persistence, UI automation and data theft to gain full control over a victim’s financial apps. Because much of its activity relies on Accessibility permissions, a single tap from the user can give attackers complete access. Staying safe means avoiding unofficial APKs, reviewing installed apps regularly and being cautious of any sudden request to enable special permissions.

Do you think Android phone makers like Samsung or Google are doing enough to protect you from malware? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter

Copyright 2025 CyberGuy.com.  All rights reserved.