PasswordCrunch.com
Password Security · 6 min read

The 20 Most Common Passwords — And Why People Keep Using Them

Security researchers at NordPass analyse billions of leaked credentials each year. The same passwords appear at the top of the list year after year. Understanding why helps you avoid the same traps — and if any of yours are on this list, there are steps to take immediately.

The list

These are consistently the most frequently found passwords in data breach databases. Each can be cracked in under one second by automated tools:

123456
password
123456789
12345678
12345
1234567
qwerty
abc123
password1
111111
iloveyou
admin
letmein
welcome
monkey
dragon
master
sunshine
princess
shadow

Why people keep choosing them

It is easy to look at this list and assume the people using these passwords are careless. The reality is more nuanced. The average person now manages over 100 online accounts. Remembering 100 unique, complex passwords is genuinely beyond what human memory can handle without tools. Faced with that cognitive load, people make rational short-term decisions that are bad for long-term security: they reuse familiar credentials, they pick something memorable and simple, and they prioritise getting into the account over thinking about who else might get in.

There is also the familiarity problem. 123456 feels safe because it is what the person has always used and nothing bad has happened yet. Most account compromises go unnoticed for months. By the time someone realises their account was accessed, they may not connect it to a weak password set years earlier.

The other pattern on this list worth noting: single words. dragon, monkey, sunshine, shadow — these all appear in dictionary attacks within the first milliseconds. The same is true for their common variants: dr@g0n, monkeyXX, Sunshine1. Attackers maintain wordlists that include every dictionary word plus thousands of common substitutions.

How attackers use these lists

When a data breach occurs, the stolen credential database is typically traded on dark web forums and marketplaces within days. Attackers then run automated tools that try the leaked username-and-password combinations against other services. This is called credential stuffing. Because so many people reuse passwords across sites, a breach at a small e-commerce site can give attackers access to email accounts, banking apps and anything else the person uses the same credentials for.

Separately, attackers also run dictionary attacks — systematically trying known common passwords against accounts. The list above, and tens of thousands more like them, are loaded into attack tools by default. Any account using a password on that list is effectively unprotected.

A commonly cited figure: the 200 most common passwords account for roughly 10% of all passwords found in breach databases. That means one in ten accounts can be accessed by trying just 200 guesses — a process that takes automated tools milliseconds.

What to do if yours is on the list

First, change it immediately — not eventually. If you are using a common password for anything important (email, banking, your password manager), treat it as already compromised. Generate a new password now, update the account and move on.

Second, check whether your email address has appeared in known data breaches. The site Have I Been Pwned (haveibeenpwned.com) maintains a database of billions of compromised credentials. Enter your email and it will tell you which services you use have been breached. If a service you use appears on the list, assume the credentials for that service are known and change them.

Third, set up a password manager and stop reusing passwords. Every account should have its own unique, randomly generated credential. This single change eliminates credential stuffing as a risk entirely — even if one service is breached, the attackers cannot use those credentials anywhere else.

Replace it now

Generate a strong password to replace a weak one

Strong passwords do not need to be memorable — that is what a password manager is for. Generate a 20-character random credential here and save it somewhere secure.

Open Password Generator

Password lists are compiled from publicly available breach data. This article is for educational purposes. If you believe your accounts are actively compromised, change your credentials immediately and contact the affected services.