The Most Common Passwords (And Why Yours Might Be One)
Every year, researchers analyze billions of leaked credentials from data breaches. Every year, the results are depressing. The same passwords keep showing up, used by millions of people, cracked in under a second. If your password is on this list — or anything resembling it — it's not a password. It's an open door.
The Wall of Shame: Top 20 Most Common Passwords
Every single one of these is cracked instantly by any modern attack tool. They don't even require brute force — they're in every attacker's dictionary file.
"123456" has been the most common password for over a decade. It appeared in more than 37 million leaked accounts in the most recent analysis. People know it's bad. They use it anyway. Don't be people.
It's Not Just the Obvious Ones
The top 20 list is just the tip. Researchers categorize common passwords into patterns, and if your password matches any of these patterns, it's in the dictionary files that attackers run first — long before they resort to brute force.
Keyboard walks
qwerty asdfgh zxcvbn qwerty123 1qaz2wsx qazwsx
Running your fingers across the keyboard isn't random. Every cracking tool knows every keyboard pattern on every layout — QWERTY, AZERTY, QWERTZ, and Dvorak.
Year-based passwords
summer2025 password2024 welcome2025 january2026
Attackers don't just try common words — they append the current and recent years to every word in their dictionary. A four-digit year only adds about 50 guesses to the attack. That's nothing.
Sports teams and pop culture
cowboys lakers batman pokemon starwars minecraft
If it's a team name, movie character, video game, or any cultural reference, it's been in breach databases for years. These get tested very early in any dictionary attack.
Personal info
fluffy123 mike1990 sarah! mydog2024 dallas75201
Pet names, first names, birth years, cities, zip codes — attackers scrape this from social media and public records, then generate targeted password lists. This is called a "mangling attack" and it's extremely effective against human-created passwords.
"Clever" substitutions
p@ssw0rd l3tme1n s3cur1ty @dmin!23
Leet speak substitutions (a→@, o→0, e→3, s→$) have been in every cracking toolkit since the early 2000s. These add almost zero protection. An attacker's dictionary includes every common substitution pattern automatically.
Your password stinks. Replace it with one that doesn't.
Generate a Strong Password →How to Check if Your Passwords Have Been Leaked
Have I Been Pwned (haveibeenpwned.com) is a free service run by security researcher Troy Hunt. Enter your email address and it tells you which data breaches have exposed your credentials. If your email shows up — and statistically, it will — change the password for that service immediately, and change it on any other service where you reused the same password.
The site also offers a password checker that tells you whether a specific password has appeared in any known breach database. It does this without ever sending your actual password over the internet — it uses a cryptographic technique called k-anonymity that only transmits a partial hash.
What to Do Right Now
If you recognized any of your passwords on this page, here's the fix: open your password manager (or get one — Bitwarden is free), go to your most critical accounts first (email, bank, anything with financial info), and replace each password with a randomly generated one that's at least 16 characters long. Then enable multi-factor authentication on every account that supports it.
For the full breakdown on what actually makes a password secure, read our guide on what makes a strong password. For the hard numbers on how long different passwords take to crack, check the crack time table.
Don't pick a password. Let the dog pick one for you.
Click the Dog →FAQ
What is the most common password?
"123456" has been the most common password for over a decade, appearing in tens of millions of leaked accounts. Other perennial entries include "password", "qwerty123", and "111111". All of these are cracked instantly by any modern attack tool.
How do I know if my password has been leaked?
Visit haveibeenpwned.com and enter your email address. The site checks your email against known data breaches and tells you which services have exposed your credentials. If your email appears, change the password for that service immediately — and any other service where you used the same password.
Why do people keep using weak passwords?
Convenience. The average person has over 100 online accounts. Memorizing a unique, complex password for each one is impossible without a password manager. People default to simple, reusable passwords because the alternative seems too hard. The solution isn't better memory — it's a password manager that handles the complexity for you.
Protect yourself beyond passwords: Use a password manager to store unique passwords for every account, and a VPN to encrypt your connection on public networks.