10 Most Common Passwords And How Fast They Crack - Making Sense Of Security

10 Most Common Passwords of 2026 (And How Fast They Crack)

Are You Using These 10 Most Common Passwords?

The same passwords have topped the “most used” list for 13 straight years. 123456 is still number one. password is still in the top five. Neither will be going anywhere in 2026.

What’s changed isn’t the list — it’s the hardware. A password that took hours to crack in 2019 now falls in seconds. Below are the 10 most common passwords of 2026, how many times each appeared in this year’s breach data, how fast each one cracks on modern hardware, and what to replace them with.

Where This List Comes From

The ranking is drawn from aggregated credential-dump analysis published annually by password-manager vendors and security researchers (NordPass, SpecOps, Hive Systems, and the HIBP breach corpus).

The 2026 set reflects roughly 5.3 billion unique credential records exposed across breaches in 2024–2025. Frequency counts are approximate; rankings track closely across sources.

Crack times below assume offline attack at 10 billion guesses per second — the realistic scenario after a site is breached and its password hashes are downloaded.

🔍
Knowledge Check

Put what you’ve learned to the test

Try our Did You Know? mini-game — bite-sized cybersecurity facts that stick. Perfect for sharpening instincts in just a few minutes.

Play the game →

The 10 Most Common Passwords of 2026

1. 123456

Appearances in breach data: 38.7 million · Crack time: instant.

The grandfather of bad passwords. It’s the default behaviour when someone is asked to “make up a password” and doesn’t want to. Every cracking dictionary has it in the first 10 entries.

Better alternative: a 5-word passphrase like bronze-clay-river-piano-wheat — still easy to type, trillions of times stronger.

2. password

Appearances in breach data: 12.4 million · Crack time: instant.

If 123456 is the shrug, password is the shrug with extra confidence. It’s often the system default that people never change. Capitalizing it (Password) or adding an exclamation (Password!) doesn’t help — both variants are also in the top 100.

3. 123456789

Appearances in breach data: 8.1 million · Crack time: instant.

A common response to sites that require “at least 8 characters.” It satisfies the length requirement without requiring any thought, which is exactly the problem with length requirements unbacked by guidance.

4. qwerty

Appearances in breach data: 7.9 million · Crack time: instant.

The first “keyboard walk” password. Attackers have built entire rulesets around keyboard geometry — qwerty, asdfgh, 1qaz2wsx, zxcvbnm are all cracked in the same microsecond. If you can draw a line on your keyboard to spell your password, it’s already in a dictionary.

5. admin

Appearances in breach data: 6.3 million · Crack time: instant.

Mostly appears on routers, IoT devices, and admin panels that shipped with admin/admin and were never changed. A growing share of home-network compromises in 2025 came from exactly this pattern. Every router you own should have had its default credentials changed the day you plugged it in.

6. 111111

Appearances in breach data: 5.2 million · Crack time: instant.

The “repeat any one character” genre — 000000, aaaaaa, and zzzzzz all appear in the top 50. Often PIN-style, likely originating from phone-pattern locks where a single digit is fastest to enter.

7. 12345678

Appearances in breach data: 4.8 million · Crack time: instant.

The “minimum-length-of-8” variant. Sites that require 8 characters without enforcing a breach-password check are essentially training users toward this password.

8. abc123

Appearances in breach data: 4.1 million · Crack time: instant.

The “mix letters and numbers to look strong” approach. Technically satisfies many complexity checkers. Cracks in the same microsecond as 123456.

9. password1

Appearances in breach data: 3.7 million · Crack time: instant.

A case study in why “append one character” is useless. Every cracking rule set includes “append 0–9” as one of the first transformations it tries. password1 through password9 all crack instantly; so do Password1!, P@ssword1, and every other small variation.

10. welcome

Appearances in breach data: 3.4 million · Crack time: instant.

Often the default password issued by HR on a new employee’s first day. If IT doesn’t force a change at first login, a surprising share of accounts keep it forever.

🧠
10 QUESTIONS 15s EACH 🔥 STREAKS

// MISSION: TEST YOUR DEFENSES //

Passwords, phishing, Wi-Fi, malware. Six fronts. One quiz. Ten questions to prove it.

[ INIT ] ▶

Where this data comes from: NordPass publishes an annual Top 200 Most Common Passwords report; we also draw on the SpecOps 2025 weak-password data and the HIBP breach corpus. NordPass and the major password managers all offer breach-password scanning as a standard feature — if you’re using one, you’d know immediately whether your current password is on any of these lists.

Worse Than the Top 10: The Pattern Passwords That Feel Unique But Aren’t

At least a user of 123456 has no illusions. The more dangerous category is patterns that feel personal — the user believes they’ve made something unique, and so skips the password manager. Every one of these patterns appears millions of times in breach data.

  • Season + year + symbol: Summer2025!, Winter2024!. Forced-rotation corporate password policy is directly responsible for this genre. Crack time: seconds.
  • Name + birthday: Sarah1987, Mike0612. The birthday is the four digits attackers try first after any English name. Crack time: minutes — and considerably less if the attacker has any context (like a breached social profile).
  • Sports team + number: Lakers24, YankeesRule99. Team dictionaries are built into every major cracking ruleset.
  • Company name + variant: Acme2025, Acme!. The employee thinks it’s unique to them; every attacker targeting that company tries it in the first 100 guesses.
  • Keyboard walks: 1qaz@WSX, Zaq1xsw2. These look random to a human; they’re the first 500 passwords in any keyboard-walk dictionary.

Check Your Own Passwords — Here, Privately

[mso_password_checker]

Don’t type in your actual password — use something with the same structure. If the crack time comes back under a year, it’s on one of these lists or close enough that a modern cracker will try it in the first thousand guesses. The checker runs entirely in your browser; nothing is sent anywhere.

Free: The Password Upgrade Checklist (PDF)

One page. Audit your 10 most-used passwords, identify the worst offender, and replace it properly — all in under 20 minutes.

[mso_lead_magnet slug="password-upgrade-checklist"]

What to Do About It

Three steps, in order of impact:

  1. Run your current passwords through a breach check. Have I Been Pwned’s Pwned Passwords tells you whether a given password has appeared in any known breach. Any “yes” — even if it’s not one of the 10 above — means change it today.
  2. Install a password manager and let it generate unique 20-character passwords per site. Bitwarden is free and open source; 1Password Families is our pick for multi-user households. Full comparison.
  3. Turn on two-factor authentication on your email, password manager, and financial accounts. An attacker who has your password still can’t log in without the second factor. Our 2FA setup guide.

Did you know? 81% of hacking-related breaches involved weak, stolen, or reused passwords (Verizon Data Breach Investigations Report). The fix — a password manager plus 2FA on your five most important accounts — takes about 20 minutes and essentially closes the biggest attack surface you have.

⚡ Speed Challenge

How Fast Can You Spot a Scam?

5 questions. Beat the clock. Stay sharp. Scam Blitz puts your instincts on a timer — because in real life, you don’t get to think twice. Stack combos, build streaks, climb the leaderboard.

⚡ Start Blitz →

3 difficulty levels · Plays offline · Free

Frequently Asked Questions

What is the most common password in 2026?

123456 remains the most common password in 2026, appearing in roughly 38.7 million breach records — the same position it has held for over a decade.

How fast can hackers crack the most common passwords?

Every password in the 2026 top 10 cracks instantly — under one second — on modern GPU hardware. They aren’t truly being “cracked” so much as looked up: every cracking tool tries them in the first few entries of its dictionary.

Is password1 safer than password?

No. Adding a single digit to the end of a dictionary word is one of the first transformations every cracking tool tries. password1 cracks in the same microsecond as password.

How can I check if my password is in a breach?

Use Have I Been Pwned’s Pwned Passwords tool. It uses a privacy-preserving lookup (k-anonymity) so you can check a password without sending it across the internet in full. Most major password managers also offer breach scanning as a built-in feature.

What should I use instead of a common password?

Either a 14+ character random password generated by a password manager, or a 5-word random passphrase from the EFF Diceware list. Both give you 60+ bits of entropy — strong enough to resist a modern offline attack for decades. Here’s the math.

Why do the same passwords keep showing up year after year?

Because the failure mode is psychological, not technical. People reach for the path of least resistance when asked to invent something on the spot, and millions of people independently arrive at the same shortcuts (123456, password, keyboard walks). The fix is to stop inventing passwords at all and let a password manager generate them.

Similar Posts