The 200 Most Common Passwords in 2026 (Is Yours on This List?)
Every year, security researchers analyze billions of leaked credentials from data breaches. Every year, the results are depressing.
Despite decades of warnings, millions of people still protect their accounts with passwords that a hacker can crack in under one second. Not one minute. One second.
Here's the full list — and if you recognize yours, stop reading and generate a new one right now.
The Top 50 Most Common Passwords
These passwords appear in virtually every major data breach. They're the first entries in every hacker's dictionary attack.
| Rank | Password | Time to Crack |
|---|---|---|
| 1 | 123456 | < 1 second |
| 2 | password | < 1 second |
| 3 | 123456789 | < 1 second |
| 4 | 12345678 | < 1 second |
| 5 | 12345 | < 1 second |
| 6 | qwerty | < 1 second |
| 7 | abc123 | < 1 second |
| 8 | 1234567 | < 1 second |
| 9 | 111111 | < 1 second |
| 10 | 1234567890 | < 1 second |
| 11 | password1 | < 1 second |
| 12 | iloveyou | < 1 second |
| 13 | sunshine | < 1 second |
| 14 | princess | < 1 second |
| 15 | admin | < 1 second |
| 16 | welcome | < 1 second |
| 17 | 666666 | < 1 second |
| 18 | football | < 1 second |
| 19 | charlie | < 1 second |
| 20 | !@#$%^&* | 3 seconds |
| 21 | donald | < 1 second |
| 22 | password123 | < 1 second |
| 23 | qwerty123 | < 1 second |
| 24 | letmein | < 1 second |
| 25 | monkey | < 1 second |
| 26 | dragon | < 1 second |
| 27 | master | < 1 second |
| 28 | 123123 | < 1 second |
| 29 | 654321 | < 1 second |
| 30 | superman | < 1 second |
| 31 | qwertyuiop | < 1 second |
| 32 | michael | < 1 second |
| 33 | ashley | < 1 second |
| 34 | trustno1 | < 1 second |
| 35 | baseball | < 1 second |
| 36 | access | < 1 second |
| 37 | shadow | < 1 second |
| 38 | 696969 | < 1 second |
| 39 | passw0rd | < 1 second |
| 40 | bailey | < 1 second |
| 41 | buster | < 1 second |
| 42 | hunter | < 1 second |
| 43 | 1q2w3e4r | < 1 second |
| 44 | soccer | < 1 second |
| 45 | harley | < 1 second |
| 46 | batman | < 1 second |
| 47 | andrew | < 1 second |
| 48 | tigger | < 1 second |
| 49 | 000000 | < 1 second |
| 50 | robert | < 1 second |
Notice anything? Every single one can be cracked in under 3 seconds.
Passwords 51-100: The "Slightly More Creative" Tier
| Rank | Password | Rank | Password |
|---|---|---|---|
| 51 | thomas | 76 | freedom |
| 52 | hockey | 77 | whatever |
| 53 | ranger | 78 | thunder |
| 54 | daniel | 79 | ginger |
| 55 | starwars | 80 | hammer |
| 56 | klaster | 81 | summer |
| 57 | 112233 | 82 | george |
| 58 | jordan | 83 | 121212 |
| 59 | mustang | 84 | 555555 |
| 60 | samsung | 85 | password2 |
| 61 | austin | 86 | joshua |
| 62 | matrix | 87 | pepper |
| 63 | william | 88 | lakers |
| 64 | corvette | 89 | abcdef |
| 65 | dallas | 90 | fender |
| 66 | taylor | 91 | maggie |
| 67 | merlin | 92 | 131313 |
| 68 | blahblah | 93 | chicken |
| 69 | 696969 | 94 | oliver |
| 70 | pass | 95 | killer |
| 71 | marina | 96 | zaq1zaq1 |
| 72 | fuckyou | 97 | trustme |
| 73 | lovers | 98 | 159357 |
| 74 | biteme | 99 | cookie |
| 75 | jessica | 100 | ferrari |
Still all crackable in seconds. Hackers don't guess one by one — they run these lists through automated tools that test thousands of passwords per second against a leaked hash database.
Passwords 101-200: The Extended Hall of Shame
This group includes "clever" variations and pop culture references that people think are unique:
purple, andrea, 7777777, johnny, carlos, diamond, nicole, computer, whatever, winter, sunshine1, jackson, gizmodo, peanut, maverick, testing, Chelsea, midnight, love, sparky, camaro, matrix1, london, dakota, jennifer, patrick, martin, michelle, yankees, compaq, christian, dallas1, butterfly, jasmine, nicholas, samantha, flower, chocolate, nathan, rachel, 1qaz2wsx, junior, internet, bigdog, 11111, smokey, asdfgh, 55555, phoenix, madison, mercedes, viking, alexander, victoria, tiger, bandit, falcon, cookie1, heather, happy, corvette1, pumpkin, iceman, 123qwe, wizard, guitar, angels, helpme, creative, cassie, arsenal, brandy, knight, thunder1, james, prince, scooter, indian, avatar, blessed, 1234qwer, spencer, 2112, matrix, sierra, runner, fishing, jackass, samson, steelers, murphy, snoopy, booger, carmen, willow, genesis, diamond1, pass1234, stanley, snickers
Every single one of these has appeared in millions of leaked credentials.
The Patterns Hackers Exploit
Analyzing breach data reveals predictable patterns that people fall into:
Pattern 1: Keyboard Walks
Dragging your finger across the keyboard: qwerty, 1q2w3e4r, qwertyuiop, zaq1zaq1, !@#$%^&*. Cracking tools check all keyboard walks first.
Pattern 2: Sequential Numbers
123456, 654321, 112233, 131313. Any numeric sequence is in the dictionary.
Pattern 3: Names + Numbers
First name + birth year (michael1990), pet name + number (buddy123). Social engineering makes these trivial.
Pattern 4: Sports Teams and Pop Culture
lakers, steelers, ferrari, batman, starwars. These are in every wordlist.
Pattern 5: The "Symbol at the End" Trick
Adding 1! or 123 to an otherwise weak password. Tools specifically test base words with common suffixes.
Pattern 6: Leet Speak Substitutions
p@$$w0rd, l3tm31n, h4ck3r. These substitution rules are baked into every cracking tool. They add negligible security.
How Hackers Actually Crack Passwords
Understanding the attack methods shows why these common passwords are so dangerous:
Dictionary Attacks
Attackers feed a list of known common passwords and words into cracking software. Every password on this page falls in the first second.
Credential Stuffing
Leaked email/password pairs from one breach are automatically tested against hundreds of other sites. If you reuse passwords, one breach compromises everything.
Brute Force with Rules
Modern cracking software applies transformation rules — capitalize first letter, append numbers, substitute symbols — to dictionary words. This catches "Password1!" just as easily as "password."
Rainbow Tables
Pre-computed hash lookups that can reverse simple password hashes instantly. Salting helps, but short passwords are still vulnerable.
What to Do If Your Password Is on This List
Don't panic, but act now:
- Change the password immediately. Use our password generator to create a truly random one — 16+ characters.
- Check every account. If you reused that password anywhere else, change those too.
- Check for breaches. Visit haveibeenpwned.com to see if your email has been in any data breaches.
- Get a password manager. You need unique passwords for every account. Bitwarden, 1Password, and KeePassXC are all solid choices.
- Enable two-factor authentication. Even if someone gets your password, 2FA stops them cold.
What a Good Password Actually Looks Like
For comparison, here's what you should be using:
- Random password:
X9#kR2!mPvL4$nQ8— uncrackable via brute force - Passphrase:
marble-telescope-anvil-crimson— easy to remember, extremely secure - Generated by a tool: Always better than anything a human invents
The common thread? Randomness. Humans are terrible at being random. We fall into patterns, use familiar words, make predictable substitutions. That's why a password generator exists — let the machine do the randomness, and you do the remembering (or let your password manager handle that too).
FAQ
Why do people keep using weak passwords?
Convenience and habit. People choose passwords they can easily remember and type, which means short, familiar, and reused. Password managers solve this by removing the need to memorize passwords entirely.
How do researchers know which passwords are most common?
Security researchers analyze leaked credential databases from data breaches (using only the password data, anonymized). Services like Have I Been Pwned aggregate breach data to identify patterns and common passwords.
Is my password safe if it's not on this list?
Not necessarily. This list shows the most common passwords, but any dictionary word, name, or predictable pattern is vulnerable. A truly safe password is randomly generated and at least 16 characters long.
How fast can hackers crack passwords?
With modern GPUs, a brute-force attack can test billions of password combinations per second. Simple passwords fall in under a second. A random 16-character password with mixed characters would take billions of years.
What's the single best thing I can do for password security?
Use a password manager with unique, randomly generated passwords for every account, plus enable two-factor authentication on your most important accounts. These two steps eliminate the vast majority of password-related attacks.