Most Common Weak Passwords in 2026 — The List Attackers Try First

Every year, breach researchers analyze hundreds of millions of leaked credentials and publish lists of the most commonly used passwords. Attackers run through these lists before attempting anything else. If your password appears anywhere near the top — or follows the same patterns — it is effectively compromised the moment an attacker targets your account.

The Top 20 Most Common Passwords (From Breach Data)

These appear consistently at the top of analyses from NordPass, HaveIBeenPwned, and security researchers compiling breach databases:

1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 1234567
7. password1
8. iloveyou
9. admin
10. welcome
11. monkey
12. login
13. abc123
14. starwars
15. 123123
16. dragon
17. passw0rd
18. master
19. hello
20. freedom

If your password is on this list, change it immediately. An attacker with a compromised hash database will crack these in milliseconds. Even against rate-limited online login forms, these appear in every credential stuffing attack.

Common Patterns That Are Just as Dangerous as the Top 20

The list above contains specific words, but patterns are equally exploited. These categories represent millions more easily cracked passwords:

• Your name + year: "Sarah1990," "Michael2024" — attackers combine name lists with year ranges
• Company name + number: "Google123," "Netflix2024" — common with work accounts and streaming services
• Sports team + year: "Yankees2024," "Lakers23" — sports teams and championship years are staples of cracking dictionaries
• Keyboard walks: "qwerty," "asdfgh," "zxcvbn" — any pattern that follows keyboard layout
• Repeated characters: "aaaaaaa," "1111111" — zero entropy variation
• Season + year: "Spring2024!" "Winter2025!" — exactly how users respond to mandatory rotation policies

Each of these categories exists as a dedicated list in the tools crackers use. Adding a "!" at the end or capitalizing the first letter is not enough — both modifications are already included in the variations attackers generate.

Sell Custom Apparel — We Handle Printing & Free Shipping

How Common Weak Passwords Score in a Strength Checker

Testing the top passwords against a strength checker shows exactly why they fail:

Password	Strength Score	Estimated Crack Time
123456	Very Weak	Instant
password	Very Weak	Instant
Password1!	Weak	Seconds
Summer2024!	Weak	Hours
Michael1985	Weak	Minutes

Notice that "Summer2024!" achieves a Weak score (not Very Weak) because it technically has all four character types. But the crack time is measured in hours, not years — because the base word and pattern are well-known to attackers.

A genuinely random 12-character password with all character types takes thousands of years at the same cracking speed. The difference is not in the character types used — it is in the randomness of the selection.

Why Breach Lists Are Different From Strength Scores

A password strength checker measures mathematical difficulty — entropy, character variety, and pattern resistance. It does not know whether a password has already appeared in a breach database.

This distinction matters because a high-scoring random password becomes compromised the moment it appears in a breach — regardless of its mathematical strength. Once "K7#mxL2!Pq9n" appears in a leaked credential file, attackers can try it as a dictionary entry.

This is why using unique passwords for every account is non-negotiable. The same strong password used across 20 sites means that when any one of those 20 services is breached, all 20 accounts are vulnerable.

For breach exposure specifically, tools like HaveIBeenPwned let you check whether a password has appeared in known breach databases. Strength checkers and breach checkers solve different problems — you need both.

What to Use Instead of a Common or Weak Password

The simplest upgrade from any weak password is to generate a random replacement. For accounts where you need to remember the password without a manager:

• Use four random unrelated words: "cloud-river-flamingo-desk" is 28 characters, easy to type, and not in any dictionary
• Add a number or symbol anywhere in the phrase: "cloud-river-7-flamingo-desk" increases entropy without making it harder to remember
• Avoid personal information: Your name, birthday, pet name, and city are all in databases attackers use to generate targeted guesses

For accounts stored in a password manager, generate a fully random 16-20 character string. You only need to remember the master password — make it a long passphrase.

Frequently Asked Questions

How do attackers know my password is a common one?

They do not know your specific password — they try all known common passwords and patterns first. Credential stuffing tools work through breach lists and wordlists automatically, trying millions of combinations per second. If your password is in any breach list or follows a known pattern, it falls early in the attack sequence.

Is "password123" bad even if my site requires special characters?

Yes. Common words plus predictable number sequences are in every attack dictionary, including variations. "password123" scores Very Weak and would be cracked in seconds against an offline hash. Meeting minimum complexity requirements does not mean meeting minimum security.

What if I change one letter of a common password?

This is exactly what attackers expect. Cracking tools generate systematic variations of every word in their lists — changing letters, adding numbers, substituting symbols. "p@ssword," "passw0rd," "password!" all appear in attack dictionaries as known variations.

How do I check if my specific password has been breached?

Use HaveIBeenPwned — it has a database of over 800 million leaked passwords. You can check a password hash without revealing the full password. Strength checkers (including this one) measure mathematical strength, not breach exposure. You need both tools for a complete picture.