⚠ Security Report 2024
World’s Most Common Passwords
Every year, billions of passwords are exposed in data breaches. Security researchers analyze leaked databases and the results are consistently alarming — millions of people still protect their most sensitive accounts with passwords that can be cracked in less than a second.
The 25 passwords below appear most frequently across the largest credential databases ever analyzed. If yours is on this list, change it immediately.
DISCLAIMER: These passwords are published for educational purposes only. Using this information to gain unauthorized access to accounts is illegal. This data is sourced from publicly available security research by NordPass, HaveIBeenPwned, and Cybernews.
THE LIST
25 ENTRIES
RANK
PASSWORD
CRACK TIME
EST. USERS
RISK
WHY THESE FAIL
4 PATTERNS
NUMBER SEQUENCES
Simple numeric patterns are the first thing every brute-force tool tries. Attackers can crack every numeric sequence up to 10 digits in milliseconds.
123456
12345678
1234
123123
DICTIONARY WORDS
Any single word in any language is trivially cracked with dictionary attacks. Millions of wordlists are freely available to attackers online.
password
monkey
dragon
sunshine
KEYBOARD WALKS
Running your finger across the keyboard feels random but is completely predictable. These patterns are hardcoded into every serious cracking tool.
qwerty
qwerty123
1q2w3e
GENERIC PHRASES
Common words with a trailing “1” or “!” provide almost zero additional security. These modifications are all pre-built into modern cracking rulesets.
abc123
password1
letmein
welcome
HOW TO STAY SAFE
01 — CRITICAL
USE A PASSPHRASE
String 4–5 random unrelated words together: “coffee lamp river torch.” 20+ characters of randomness is exponentially harder to crack than any 8-character password.
02 — CRITICAL
NEVER REUSE PASSWORDS
One breach exposes every account you used the same password on. Use a unique password for every site — no exceptions, especially for email and banking.
03 — HIGH
GET A PASSWORD MANAGER
Bitwarden, 1Password, and Dashlane generate and store unique 20+ character passwords for every site. You only need to remember one master password.
04 — HIGH
ENABLE 2FA EVERYWHERE
Two-factor authentication stops account takeovers even when your password is compromised. Use an authenticator app (not SMS) for critical accounts.
05 — MEDIUM
CHECK FOR BREACHES
Visit haveibeenpwned.com to check if your email has appeared in known data breaches. Set up alerts so you know immediately when to act.
06 — MEDIUM
AVOID PERSONAL INFO
Names, birthdays, pet names, and addresses are the second thing attackers try after common passwords. Social media makes this information trivially findable.
