Most people still use simple, predictable passwords like “123456”, “password”, or “qwerty” which is exactly why they’re so easy to hack.
Weak passwords like these are easy to guess or crack using automated tools, leaving your personal accounts wide open to cybercrime.
The most common passwords are often short, repetitive, and easy to remember; making them dangerously insecure.
Our article explores why weak passwords are seemingly still so widespread, how attackers exploit them, and how to protect yourself online.
Creating a strong password is not just another box-ticking exercise when signing up to a new website.
It’s your first, and sometimes only line of defence against hacking, identity theft, and account hijacking.
When you use weak passwords, you’re not just risking one account; you’re potentially exposing your entire digital life.
Here’s a breakdown of the most common types of attacks that exploit weak passwords:
A brute force attack is when hackers repeatedly and persistently attempt every possible password combination until successfully found.
It might seem outdated, but this practice is still common and alarmingly still works!
This is especially the case when people use short or obvious passwords.
Automated software tools can attempt millions of guesses per second, meaning a password can be cracked in seconds.
The shorter and simpler your password, the quicker it will succumb a brute force attack.
Password spraying is a cunning technique because it targets several accounts at once using a handful of common passwords, as opposed to trying hundreds of passwords on a single account (which tends to trigger security alerts).
So if your password is something like “Password123”, attackers don’t even need to target you specifically.
You’re just one of many users they’re hoping to catch at the same time!
Credential stuffing is where hackers use email and password combinations stolen from past data breaches and use them on other websites.
This works because people frequently reuse the same passwords across multiple accounts.
If your login details were exposed in one breach, hackers will test them everywhere else, like banks and other sites containing sensitive financial information, webmail, or popular e-commerce sites.
This is why reusing the exact same password across all sites is one of the dumbest things you can do.
Unlike brute force, a dictionary attack uses a list of common passwords, names, and phrases (examples being “letmein” or “football”).
Many people think they’re being original with their favourite band or pet’s name, but they’re not!
Hackers are very aware how common this is, and tend to be one step ahead.
These attacks happen fast and are very effective because they’re based on patterns people use every day.
Humans are creatures of habit, and hackers know this!
Knowing the risks is only half the battle.
Here’s how to apply better password habits and protect your accounts from being hacked:
Passwords like “123456”, “password”, or “qwerty” are literally the first ones hackers try.
Even slightly adapted versions like “password1” or “qwerty123” offer virtually no additional layer of protection.
If a password looks blatantly obvious to you, then guess what? It will to a hacker too!
Using the same password across multiple accounts is like using the same key for your house, car, or office.
No one in their right mind woud do this, so why do this for your private and sensitive online data?
If someone gets hold of your password just once, they have access to everything!
Always use unique passwords for every account, especially for sensitive services like email, banking, and cloud storage.
Using a variety of different characters increases complexity and makes passwords harder to crack.
For example, “Tr0ub4dor&3” is a lot stronger than “troubador3” or “troubador”.
However, complexity only helps when your password is also long and unique.
A short but complex password is still considered weak.
Trying to remember dozens of unique strong passwords is simply impractical.
Password manager software solves this by storing login credentials in a secure, encrypted vault.
Thai way, you only need to remember one strong master password, and the password manager does the rest.
There are plenty of reputable options available, and some even generate suggested strong passwords for you.
Even with a strong password, it’s makes sense to add additional layers of security.
MFA typically requires you to initially enter your password, followed by a code sent or generated by a separate device such as your phone or computer.
This way, even if someone has your password, they can’t log in without your second factor authentication method, giving you an extra barrier of protection.
While it’s not necessary to change passwords all the time, you should update them if:
Change passwords regularly for your most sensitive accounts.
Email and banking are two prime examples, so it’s good practice to change these frequently.
Many people give away their passwords without realising it.
Phishing emails, fake websites, and fraudulent text messages can all trick you into handing over your personal credentials.
Always check the sender, verify the website URL, and never enter passwords on sites you reached via suspicious links.
When in doubt, go directly to the website – never click links!
It’s worth checking if your email or password has ever been part of a data breach.
Websites like Have I Been Pwned allow you to search safely.
If your details have been exposed, change all your passwords immediately!
Below is a list of the 100 most commonly used passwords found in global data breaches.
These passwords are among the least secure in the world (Source: Nordpass).
So if you’re using any, you better change them and fast!
| Rank | Password | Time to Crack | Count |
|---|---|---|---|
| 1 | 123456 | < 1 second | 3,018,050 |
| 2 | 123456789 | < 1 second | 1,625,135 |
| 3 | 12345678 | < 1 second | 884,740 |
| 4 | password | < 1 second | 692,151 |
| 5 | qwerty123 | < 1 second | 642,638 |
| 6 | qwerty1 | < 1 second | 583,630 |
| 7 | 111111 | < 1 second | 459,730 |
| 8 | 12345 | < 1 second | 395,573 |
| 9 | secret | < 1 second | 363,491 |
| 10 | 123123 | < 1 second | 351,576 |
| 11 | 1234567890 | < 1 second | 324,349 |
| 12 | 1234567 | < 1 second | 307,319 |
| 13 | 000000 | < 1 second | 250,043 |
| 14 | qwerty | < 1 second | 244,879 |
| 15 | abc123 | < 1 second | 217,230 |
| 16 | password1 | < 1 second | 211,932 |
| 17 | iloveyou | < 1 second | 197,880 |
| 18 | 11111111 | < 1 second | 195,237 |
| 19 | dragon | < 1 second | 144,670 |
| 20 | monkey | < 1 second | 139,150 |
| 21 | 123123123 | < 1 second | 119,004 |
| 22 | 123321 | < 1 second | 106,267 |
| 23 | qwertyuiop | < 1 second | 101,048 |
| 24 | 00000000 | < 1 second | 99,292 |
| 25 | Password | < 1 second | 95,515 |
| 26 | 644321 | < 1 second | 93,825 |
| 27 | target123 | 9 seconds | 91,486 |
| 28 | tinkle | 2 minutes | 90,759 |
| 29 | zag12wsx | 1 hour | 90,456 |
| 30 | 1g2w3e4r | 3 hours | 90,415 |
| 31 | gwerty123 | 3 hours | 90,353 |
| 32 | gwerty | 5 seconds | 89,971 |
| 33 | 666666 | < 1 second | 85,054 |
| 34 | 1q2w3e4r5t | < 1 second | 82,021 |
| 35 | Qwerty123 | < 1 second | 81,636 |
| 36 | 987654321 | < 1 second | 81,383 |
| 37 | 1q2w3e4r | < 1 second | 80,951 |
| 38 | a123456 | < 1 second | 80,662 |
| 39 | 1qaz2wsx | < 1 second | 80,139 |
| 40 | 121212 | < 1 second | 77,063 |
| 41 | abcd1234 | < 1 second | 72,749 |
| 42 | asdfghjkl | < 1 second | 72,487 |
| 43 | 123456a | < 1 second | 70,235 |
| 44 | 88888888 | < 1 second | 66,349 |
| 45 | Qwerty123! | < 1 second | 62,748 |
| 46 | Qwerty1! | < 1 second | 61,722 |
| 47 | 112233 | < 1 second | 61,433 |
| 48 | q1w2e3r4t5y6 | < 1 second | 61,385 |
| 49 | football | < 1 second | 59,656 |
| 50 | zxcvbnm | < 1 second | 59,179 |
| 51 | princess | < 1 second | 58,077 |
| 52 | Qwerty1 | < 1 second | 57,562 |
| 53 | aaaaaa | < 1 second | 57,291 |
| 54 | Abcd1234 | < 1 second | 55,617 |
| 55 | Password1 | < 1 second | 54,615 |
| 56 | sunshine | < 1 second | 53,355 |
| 57 | 147258369 | < 1 second | 51,802 |
| 58 | Qwerty1234 | < 1 second | 51,432 |
| 59 | fuckyou | < 1 second | 50,828 |
| 60 | Qwerty12 | < 1 second | 50,024 |
| 61 | 123qwe | < 1 second | 49,857 |
| 62 | computer | < 1 second | 49,103 |
| 63 | baseball | < 1 second | 48,278 |
| 64 | 159753 | < 1 second | 46,922 |
| 65 | superman | < 1 second | 46,870 |
| 66 | azerty | < 1 second | 46,028 |
| 67 | dearbook | 3 hours | 45,949 |
| 68 | pokemon | < 1 second | 45,767 |
| 69 | michael | 8 seconds | 45,397 |
| 70 | 1234qwer | < 1 second | 44,938 |
| 71 | 1234561 | 1 second | 44,615 |
| 72 | 888888 | < 1 second | 44,603 |
| 73 | daniel | 5 seconds | 44,376 |
| 74 | 111222tianya | 1 day | 44,313 |
| 75 | 1234567890 | < 1 second | 44,067 |
| 76 | 1qaz2wsx3edc | < 1 second | 44,056 |
| 77 | 123456789a | < 1 second | 43,976 |
| 78 | 123654 | < 1 second | 43,836 |
| 79 | P@ssword | < 1 second | 43,773 |
| 80 | qwer1234 | < 1 second | 43,377 |
| 81 | Qwerty1? | < 1 second | 43,284 |
| 82 | 789456123 | < 1 second | 43,200 |
| 83 | 123456789 | < 1 second | 43,037 |
| 84 | Qwerty123? | < 1 second | 42,991 |
| 85 | q1w2e3r4 | < 1 second | 42,767 |
| 86 | shadow | < 1 second | 42,744 |
| 87 | 222222 | < 1 second | 42,484 |
| 88 | soccer | < 1 second | 42,229 |
| 89 | qwe123 | < 1 second | 41,530 |
| 90 | 7777777 | < 1 second | 41,347 |
| 91 | 22535 | < 1 second | 41,025 |
| 92 | asdasd | < 1 second | 40,863 |
| 93 | admin | < 1 second | 40,324 |
| 94 | killer | < 1 second | 39,524 |
| 95 | testing | < 1 second | 39,466 |
| 96 | qazwsx | < 1 second | 38,867 |
| 97 | asdf1234 | < 1 second | 38,189 |
| 98 | 1314520 | 28 seconds | 37,694 |
| 99 | 555555 | < 1 second | 36,955 |
| 100 | 12341234 | < 1 second | 36,873 |
Unbelievably, the world’s most commonly used password is still “123456”.
It appears in data breaches more often than any other and can be cracked instantly using automated tools.
Any password that’s short, simple or based on common phrases (like “qwerty”, “password”, or “123456”) is a doddle to crack.
Even passwords that look complex like “passw0rd!” are (in truth) not complex at all, and can be broken quickly if they follow predictable patterns.
The strongest passwords are at least 12 characters long, randomly generated, and unique to each and every account.
A good example is something like “vT9&kw7Lz3^mQ8@h”, which would take centuries to crack using current hacking methods.
You can always use a password manager to generate and remember these, so you don’t have to!
The most common passwords are dangerously simple and widely used, making them easy targets for hackers.
Attacks like brute force, credential stuffing, and dictionary attacks rely on the fact that many people still use obvious passwords.
Strong password habits like using password managers, enabling multi-factor authentication, and avoiding reuse dramatically improves your online safety.
And remember, if your password appears on any “most common” lists, change it immediately, especially if it’s been breached.