Top 15 Most Common Passwords in 2026: Is Yours on the List?

It’s estimated that 66% of small businesses have experienced a cyber attack in the last year. It’s not just businesses that are affected. Individuals can be cyber-attacked and are often easier targets. In many cases, cyberattacks are complex affairs aimed at breaching firewalls and other defense mechanisms. However, hackers and cybercriminals can also access your data by simply hacking your password and using it to gain unauthorized access to your accounts. 

To stay safe online, you need secure passwords. The more unique a password, the harder it will be for others to break it. It can be difficult to choose a safe and secure password. However, once you realize how common certain passwords are in 2026, you’ll appreciate how easy it is to hack your accounts. In short, you need to avoid the most common passwords and the most obvious ones.

The Top 15 Most Common Passwords in 2026

If you’re using one of these most commonly used passwords, you need to change your password immediately. 

1. 123456
2. 123456789
3. admin
4. Qwerty
5. welcome
6. Password
7. Password1
8. p@ssw0rd
9. 12345
10. Qwerty123
11. 1q2w3e
12. 12345678
13. 111111
14. 1234567890
15. Q2w3e4r5t

The above list is based on actual data breaches that have occurred and the facts leaked. This makes it easy to see which passwords have been used and compile a list of the most popular ones. It was simply a case of compiling the data into a table, focusing on passwords, and sorting it to locate the passwords used the most. This approach allowed us to analyze over 15 billion passwords.

Sadly, only just over 2 billion of these passwords were unique. That means 13 billion passwords were easy to guess. If your password is one of the above, or even very similar, you should change it now. It’s worth noting that Hive Systems, a cybersecurity firm, has produced an estimate for how long it takes to hack a password based on the number. Here are the highlights:

• Any password of numbers only up to 11 characters long can be hacked virtually instantly.
• Passwords 6 characters long that use numbers, upper and lowercase letters, and special symbols can also be hacked instantly.
• A 10-character password using numbers, upper and lowercase letters, and special symbols takes approximately two weeks to hack.
• An 11-character password with numbers, upper and lowercase letters, and special symbols takes 3 years.
• An 18-character password with numbers, upper and lowercase letters, and special symbols takes 26 trillion years!

Having to change your passwords and constantly think of new, yet unique, words or phrases can be difficult. Fortunately, you don’t have to. The simplest and most effective approach is to use a password generator. These are often built into password manager apps. All you have to do is ask the app for a password, and it will give you a randomly generated combination of letters, numbers, and special characters. Some of the best password generators currently available include:

• NordPass
• RoboForm
• Dashlane
• LastPass
• Strong Password Generator
• KeePass

Before you use any password manager, it’s a good idea to review them. This will help to ensure you choose wisely. Consider the following:

• Check for SOC 2 Type II audits

This independent audit looks at cloud-based services and their approach/handling sensitive data. All company data is analysed to assess breaches, control policies, and more. It’s worth noting that LastPass failed their 2024 audit.  

• Make sure they have offline or open-source options

KeePass and 1Password both offer offline/open-source options. Choosing a service provider with these qualities means you can easily access your passwords anywhere, even if you’re offline. That’s useful as you never know when you’ll need a password. 

• Check for breaches

Simply Google the name of the password manager and add the word breach or something similar. You’ll quickly know if they have suffered any embarrassing leaks or breaches. Steer clear of these. 

• Extra Features

Password managers can work effectively as standalone tools. However, many offer extras, such as VPNs, which can be useful. Check what additional benefits the service offers and whether they’ll be beneficial to you. 

Common Threads In Passwords

One of the best things about creating a password list based on data breaches is that we can see what inspiration people use to create passwords. In most cases, the passwords were linked to a passion, such as sport or food. There were also plenty of location-based ones. Of most interest was the use of numbers. Many people used the most obvious numbers, such as 123 or 111 combinations. Alternatively, using the year of birth also proved to be a popular option. 

That means anyone cracking a password will instantly know your age. Equally, a password hacker can find out your age from social media accounts and use this to help them figure out your passwords. The funniest part is that most people realize they need strong and unique passwords. When choosing one, most people will think about things that are easy to remember. They will then use these things as part of their password.

After all, they will be easy to remember. While you may think this gives you a safe and unique password, the opposite is true. Because the password is based on something important to you, it’s surprisingly easy for others to deduce it. It’s easier today than it has ever been, as there is so much information about you online, most of which you have posted yourself to social media sites. 

Hackers also use sentiment analysis. This is where personal and emotional information is extracted from things you post online. This gives hackers inspiration regarding potential passwords. Today, AI is getting increasingly better at analysing sentiments and identifying what’s important to you. What this means is that hackers, using hacking tools and AI, have never had it easier. That’s why you need to evaluate your passwords today.

Generating A Strong Password

The simplest way to generate a strong password is to use a password generator. However, you may be concerned about this. Password generators create strong, unique passwords. But they are not easy to remember. That means you’ll have to record them somewhere. That can make it more difficult to locate and use a password when you need it. A password generator combined with a password manager is generally considered to be the safest approach. If you want to create your own, remember the following:

• The longer the password, the harder it will be to guess.
• Every secure password should have letters in upper and lower case, numbers, and a symbol. They should be interspersed throughout the world, although NIST guidelines have not recommended special characters since 2017.
• As of 2025, it’s recommended that you use four or more random words put together, making over 12 characters. For example, “FastRunSmoothDance.”
• Never use the passwords listed in this guide.
• In the past, changing passwords regularly had been recommended. However, according to NIST 800-63B, it’s now better to keep the same password unless it has already been breached. They found frequent password changes led to weaker passwords, as minor and predictable changes are often made. This makes them easier to hack. 
• You should also enable FIDFO2/WebAuthn whenever you can. This can be broken into two sections. WebAuth is a standard API that allows interaction between web applications and authenticators. It provides secure web authorisation. The FIDO2 part generates a set of keys, which are unique to the transaction. One is private, the other public. The site uses the public key and authenticates it. You, the client, use the private key. It creates a secure dual-authentication process. It’s secure and unphishable.

Defending Against Credential Stuffing

As mentioned, credential stuffing involves hackers identifying your login and password, then trying them on as many websites as possible. If you’ve reused the same password, you’re going to have a lot of issues. You’re not alone. According to the 2024 Verizon DBIR, 61% of data breaches are thanks to passwords being reused. 

To protect against this, you must have a different password for every login, no matter how many. You should almost always check for data breaches via monitor.firefox.com. Alongside this, it’s a great idea to enable Multi-Factor Authentication (MFA) on all your accounts. It means you can’t access an account with just a password.

Monitoring Breaches

We recommend you monitor breaches. If you don’t, how else will you know if your data may have been compromised? The good news is that there are several free detection tools you can use:

• Have I Been Owned – checks for email and password breaches.
• Google Password Checkup – This tool is integrated into Chrome and scans for password reuse.

There are others; make sure you review them thoroughly before using one. 

The Effect Of AI

Unsurprisingly, AI tools have become more powerful. They are now regularly used to hack passwords. It’s one of the most pressing reasons why you need to ditch your weak passwords now. Look at it this way, a simple password like ‘Soccer!2025’ can be hacked in approximately 4 minutes. In contrast, four random words, like ‘TeamFourBestLuck’, will take approximately 34,000 years or more to hack. 

Consider Your Password Use

We know it can be challenging to constantly create secure passwords. That’s why we recommend creating secure ones and keeping them. It’s also worth noting that not all sites need the same level of security. For example, financial services, such as banking, and email accounts, need the highest possible security. Make sure you create very strong passwords. In contrast, using a password to access a forum once is a much less risky prospect. You can use simple passwords, but they still need to be secure and unique.

The Number Combinations

It’s common for people to add a number to the end of the password. The most common option, after 11 or 123, is the year. People will generally choose the year they were born, the year they created the password, or a significant year, such as when they got married or when a child was born. Our analysis of the password data shows that 2010 was the most popular year to add passwords. It was closely followed by 1987 and then 1991. This fits with known data on computer users and passwords.

Creating passwords started to become popular/essential in the 2000s. People born in the 1980s and early 1990s would be the first generation that needed to create multiple passwords. There was also a baby boom during this period. In short, there are more people with birth dates in the 1980s than in other decades; therefore, more passwords will be required. The popularity of 2010 in passwords is a little harder to categorize. However, it is most likely an attempt to be unique while making it easy to remember the year chosen. After all, if you pick 2008 but don’t have a specific event associated with the year, it will be difficult to remember which year you included in your password. 

Favorite Names

People often try to be unique by using a name as part of their password. While this could be their name or a child’s name, the statistics don’t support this. The most commonly used names in passwords are:

• Eva – over 7 million uses.
• Alex – also over 7 million uses, just fifty thousand behind Eva.
• Anna – with six and a half million uses.
• Max – five and a half million uses.
• Ava – five million uses.
• Ella – nearly four million uses.
• Leo – three and a half million uses.
• Jack – three million uses.
• Ryan – also three million uses.
• Daniel – two and a half million uses.

That’s not the same as the most common children’s names. However, it is consistent with most celebrities, showing where password inspiration comes from. Unfortunately, if you use a celebrity name and mention them frequently on social media, you’re instantly giving people a clue regarding your password.

Top Sports Team

It’s not surprising that sports teams feature heavily in passwords. Again, they are very easy to predict. Discovering the most popular sports team passwords provides an interesting list of the most popular teams in the world. Suns (the NBA’s Phoenix Suns) are the most popular. Heat (Miami Heat) is the second most popular. Even soccer makes an appearance, with Liverpool being the most popular and fifth on the overall list. There are more NBA teams than soccer teams, potentially showing that the NBA is more popular than soccer. Of course, there are a lot more people living in the US than in the UK, which could affect the results.

Curse Words

You may consider using a curse word, as it is more likely to be unique. Equally, people may be less likely to suggest it as a password. However, you’re not alone. Of the fifteen billion passwords analyzed, 152 million of them had curse words in them. That’s approximately 7%. The most favorite option is ‘ass’. Another popular option is ‘sex’, and the traditional ‘f**k’ is the third-place option.

Cities As Part Of Passwords

A lot of people take pride in where they live and what their town or city has to offer the world. It’s only natural to want to share that with the world. That’s why people will often share city information on their social media channels. In the process, they’ll be helping hackers guess their password. The other city option is your birth city, if that’s different from where you live now. Again, there will be plenty of references to this on social media, which will help hackers guess your password. Interestingly, the most popular city to use in passwords is ‘abu.’ This is followed by ‘Rome’ and ‘Lima.’ An interesting mix.

Days And Seasons

Everyone has a specific time of year they love the most. For many, it’s the summer season, a Friday evening or Saturday morning, the weekend stretching out in front of you. After all, that’s generally when you feel happiest about life. Surprisingly, while summer is the most popular season as part of a password, it’s followed by winter. May is the preferred month, followed by June, then August. Friday scores the top position for days, but strangely, according to the data collected, Saturday is the least popular day. This would make sense if people are adding the day they were born as part of the password. Many fewer babies are born on a Saturday than during the week.

Food-Based Passwords

The most popular food-based word is simply ‘ice.’ It could be used in a wide array of contexts. Interestingly, it’s followed by tea, one of the most popular drinks in the world. Other options include ‘pie,’ ‘cookie,’ and even ‘cake.’

The Strength Of These Popular Passwords

At first glance, any of the above can seem hard to guess. After all, there are so many possible options. But, unfortunately, when a favorite food, sports team, or similar is used, you’re likely to talk about it online a lot. That gives everyone an idea of what your password could be. However, the real issue with the passwords extracted from the data is that very few of them had eight characters or more. In other words, their length alone made them weak and easier to guess.