50 Most Common Passwords in 2026 — Are You Using One?

These are the most frequently appearing passwords in breach databases — compiled from the RockYou dataset, HIBP, and NordPass annual reports. If your password appears on this list, change it immediately. Attackers try these first in every credential attack.

The 50 most dangerous passwords

These passwords appear in billions of breach records. Cracking tools try them within the first second of any attack. Each one below can be cracked in under 1 second.

123456

password

123456789

12345678

12345

1234567

qwerty

abc123

111111

123123

admin

letmein

welcome

monkey

sunshine

princess

dragon

master

iloveyou

123321

654321

superman

michael

jessica

password1

qwerty123

shadow

liverpool

batman

trustno1

thomas

tigger

charlie

jordan

harley

ranger

daniel

andrew

chelsea

soccer

hockey

1234abcd

pass123

test123

qazwsx

p@ssw0rd

Pa$$word

changeme

default

000000

Why these passwords are dangerous

Every password on this list is included in cracking dictionaries and wordlists that attackers use. Modern password cracking tools (Hashcat, John the Ripper) can test hundreds of billions of candidates per second on GPU hardware. A password from this list is compromised in milliseconds in an offline attack against a stolen password hash.

More critically: many of these passwords are included in credential stuffing lists. Attackers don't need to crack anything — they simply try each email/password combination from breach databases across thousands of websites, fully automated. If you reused any of these passwords across accounts, every one of those accounts is at risk.

Patterns to avoid

Keyboard walks: qwerty, asdf, 1qaz2wsx, zxcvbn — all in attacker dictionaries.
Sequential numbers: 123456, 654321, 112233 — trivial to generate programmatically.
Repeated characters: 111111, aaaaaa, 000000 — extremely low entropy.
First names + numbers: michael1, jessica123 — name lists + number combinations are automated.
Sports teams + years: liverpool2024, yankees2025 — a well-known pattern.
Common substitutions: p@ssw0rd, Pa$$w0rd — these substitution patterns are included in attack rules.
"Strong-looking" weak passwords: Trustno1, Ch@ng3me — these are on the list precisely because they look strong but aren't.

Check your current password's strength

See if your password passes the common-password check and get your entropy score.

Test Password Strength →

More password security guides

Replace weak passwords immediately with our free password generator.