Table of Contents

When you sign up for a new online account, you usually see a list of password requirements. For example, a website might ask you to create a password containing eight or more characters, including capital letters, numbers, and special characters.

These rules are better than nothing, but a password can be easy to crack even if it meets basic requirements. The average internet user has roughly 100 different accounts, so people tend to stick with simple passwords that are easy to remember. Since hackers know popular password habits, the common ones are particularly vulnerable.

We’ll look at some of the most common passwords and patterns in 2026. Changing your passwords to something unique makes them much more difficult for hackers to guess.

What Are the Most Common Passwords in 2026?

Cybersecurity researchers continue to analyze leaked data from breaches to understand which passwords are most often reused or exposed. According to NordPass and Dashlane, the most common passwords are still frustratingly simple:

Top 10 Most Common Passwords (2024–2025)

RankPasswordComment
1123456Still the most-used password year after year
2111111Easy to type, but extremely insecure
3adminDefault for many systems — highly vulnerable
4qwertySimple keyboard pattern easily guessed
5passwordSurprisingly still used despite years of warnings
6123456789Common variation of the #1 password
7123123Repetitive pattern with high exposure rates
812345Frequently used on systems with lower character requirements
9000000Often used as placeholder or temporary login
10iloveyouSentimental but predictable phrase found in many breaches

What Other Types of Passwords Are Common?

Number sequences are about as easy as it gets concerning password cracking, but there are many other password weaknesses to be aware of. Avoid some of these common mistakes in 2026.

Cities, sports teams, and location-specific elements

Location-specific elements vary from one place to another, so none make a list of the most common passwords overall. At the same time, these would be much more common if you narrow the scope to a particular place or region.

For example, “abu” and “rome” were represented in more than 1 million passwords. Similarly, well-known sports teams like “liverpool,” “arsenal,” and “chelsea” appeared in more than 600,000 each.

On one hand, these were included in a small percentage of the overall sample of roughly 15 billion. However, people who live close to Liverpool or Rome likely use those terms much more often than people in the rest of the world. Adding terms related to your location could make your password much easier to guess for anyone who knows your area.

Capitals at the beginning; numbers and special characters at the end

Websites and apps often require capital letters, numbers, and special characters along with password length to help protect user accounts. But users tend to deal with these in predictable ways. Since many people reuse passwords on multiple sites, it’s extremely common to simply add the required characters to the end of the base password.

With so many people adding these elements to the beginning and end of their passwords, this strategy may not be as secure as you think. Sequences like “123” are already predictable, and the issue is even worse when they’re simply tacked onto the end of a password. Instead, integrate all kinds of characters throughout your password to make guessing the sequence more challenging.

Birthdays and names

Birthdays and names are some of the other elements most commonly seen in passwords. People tend to use the names of their pets and children, but they also use others, such as the names of parents or partners.

Like location-specific details, individual birthdays and names don’t appear on “most common” lists since they vary for different people. But birthdays and names are frequently used elements in modern passwords.

Every birth year from 1975 to 2010 appeared in at least 3 million passwords out of a sample of 15 billion. 2010, the most common individual year, showed up in nearly 10 million. About one out of 30 people use their birth year in their passwords —  an insecure password choice. Since birthdays and the names of pets, children, parents, and partners are all relatively public information, it’s a good idea to avoid them when creating new passwords.

Need a password manager?
Protect your data with these top-rated password managers.
(4.8)

Editorial Rating

View Deal On RoboForm’s official website
(4.7)

Editorial Rating

View Deal On NordPass's offical website
(4.7)

Editorial Rating

View Deal On Keeper’s official website

How Can You Create a Stronger Password?

Avoiding the most popular passwords goes a long way toward making your accounts more secure, but you must also watch out for other common mistakes.

  • Create unique passwords: If your password is the same for every account, a hacker would only need to crack one of those passwords to log into all of them. Use a different password for every account to optimize your cybersecurity fully.
  • Change your passwords regularly: The longer you use the same password, the more likely someone can compromise it. Change your passwords at least once every 90 days to stay one step ahead of bad actors who want to access your accounts.
  • Use passphrases: While passwords can be difficult to remember, passphrases are typically much easier to remember. At the same time, they offer much more security against brute force attacks due to their greater length. Passphrases are passwords made up of a sequence of words ― usually about four. People often separate each word of a passphrase with an en dash (-) or other marking. An effective passphrase could be something like whistle-number-stacks-candles.

Conventional passwords are still secure if you follow basic best practices, but many people find passphrases more intuitive. Our guide to creating strong passwords helps you make your accounts as secure as possible.

What Should You Do Next?

If you saw any of your passwords on this list, switch them to strong, unique passwords as soon as possible. You may also want to optimize other passwords, even if they’re not among the most popular passwords.

Password managers are the easiest way to store, sync, and autofill your passwords for different accounts. Top password managers also come with password-generation tools that instantly create strong, unique passwords. Check out our list of the best password managers for more information.

In addition to using a password manager, small steps like enabling two-factor authentication and using a VPN when browsing online can significantly reduce your risk.

How Password Habits Are Changing in 2026

More people are embracing passphrases and password managers in response to rising cybersecurity threats. Recent reports show:

  • Over 30% of users now use a password manager.
  • Passphrases like “yellow-bicycle-coffee-moon” are growing in popularity due to their length and memorability.
  • Multifactor authentication (MFA) is also being adopted at higher rates.

Hackers continue evolving, so users must proactively update credentials and use layered security tools.

Resources

Frequently Asked Questions About Common Passwords

  • What are the most common passwords?

    The most used passwords remain simple and predictable — “123456,” “password,” and “qwerty” top the list. These passwords are frequently exploited in credential-stuffing attacks and should be avoided.

  • What is the average number of passwords per person?

    On average, people manage over 100 online accounts, often reusing passwords across platforms — a major security risk. Password managers help generate and remember secure, unique passwords for each login.

  • Why is “123456” so common?

    People prioritize convenience and often choose short number sequences out of habit. “123456” is quick to type but incredibly insecure — it appears in tens of millions of leaked passwords.

Learn More

author-img

About The Password Manager, Gunnar Kallstrom:

Kallstrom, The Password Manager, is a Cyber Team Lead for a Department of Defense (DOD) contracting company in Huntsville, Alabama, and has worked as a Computer Network Defense (CND) Cyber Analyst. An author and content creator for a cybersecurity academy, Kallstrom spent nearly 15 years in the Army as a musician before entering the cybersecurity field.

He holds a bachelor’s degree in music from Thomas Edison State University and a master’s in organizational development and leadership from the University of the Incarnate Word.

Kallstrom has completed several Computing Technology Industry Association (CompTIA) courses, including Security+, Network+, A+ Core 1, and A+ Core 2. He earned a CompTIA Security+ Certification. Additionally, he has completed the Cyber Warrior Academy program with more than 800 hours of hands-on, intensive, and lab-driven technical training in cybersecurity methods and procedures.

Passionate about all things cyber, Kallstrom was a speaker on a panel at the 2022 InfoSec World conference, giving a talk entitled “Hacking into a Cyber Career – True Stories.” Kallstrom is also a mentor to entry-level cybersecurity candidates seeking to break into the field. When he’s not working, he still enjoys playing guitar and fishing (not phishing).

Related Posts

What Is a Double-Blind Password?

Get tips on creating and using double-blind passwords to keep sensitive information safe. Read More

Two-Factor Authentication vs. Multifactor Authentication: What’s the Difference?

Learn how two-factor authentication (2FA) and multifactor authentication (MFA) differ and the ways these methods keep your information safe. Read More

5 Simple Tricks for Seriously Secure Passwords

Read about several tricks for remembering passwords so your personal and business details are always secure. Read More

Are Password Managers Safe To Use?

Learn about password managers in terms of safety and the variety of features and types offered. Read More

5 Ways You Are Using Your Password Manager Wrong

Learn about some recommended password managers and five ways you might be using yours incorrectly. Read More