Weak passwords remain one of the most preventable causes of account breaches and data theft worldwide. Millions of people still rely on simple combinations that take automated tools mere seconds to crack. Updating these habits is one of the fastest ways to significantly strengthen your digital security. The following passwords appear on breach lists and hacker databases year after year without fail. If any of these look familiar, changing them today should be your first priority.
123456
This six-digit sequence has ranked as the most commonly used password globally for well over a decade. It appears in hundreds of millions of leaked credential databases recovered from major platform breaches. Any account protected by this string is essentially left open to automated brute-force attacks. Security researchers consistently use it as the first entry in any credential-testing toolkit. It offers absolutely no protection and should be replaced with an entirely unique passphrase immediately.
Password
This literal word remains one of the most frequently chosen credentials across English-speaking internet users worldwide. Its irony is not lost on cybersecurity professionals who encounter it repeatedly in breach analysis reports. Hackers and automated scripts target this exact term during the very first phase of any credential attack. Many older platforms once accepted it as a valid strong password due to outdated security standards. Users who still rely on this word are leaving their accounts dangerously exposed to even the most basic intrusion attempts.
123456789
Extending the classic six-digit run to nine digits gives users a false sense of added security. This sequence appears in virtually every major leaked password database compiled over the past fifteen years. Automated cracking tools test all simple numeric runs within the first few seconds of an attack cycle. The predictable nature of sequential numbers makes this credential trivially easy for any script to identify. Adding more digits to a pattern that follows obvious logic provides no meaningful improvement in protection.
12345678
This eight-digit numeric sequence is the slightly shorter sibling of an equally compromised credential. It consistently appears among the top five entries on annual worst-password reports published by security firms. Credential-stuffing attacks routinely cycle through every common numeric run before attempting anything more complex. Platforms that enforce eight-character minimums inadvertently encouraged millions of users to settle on exactly this combination. The length requirement means nothing when the content itself is entirely predictable.
Qwerty
This keyboard-pattern password reflects one of the most human tendencies in credential creation, reaching for what is physically close at hand. It derives directly from the first six letters on the top row of a standard QWERTY keyboard layout. Hackers maintain dedicated lists of keyboard-walk passwords that include this term in the very first batch. Despite feeling unconventional to type quickly, it remains entirely familiar to any dictionary attack database. Variations such as qwerty123 offer only a marginal and equally ineffective layer of added complexity.
Abc123
This combination emerged from early internet platforms that required both letters and numbers for password validation. It became the default solution for users who wanted to meet requirements with as little effort as possible. The pattern is so well documented that it appears in beginner-level cybersecurity training materials as a primary example. Breach databases contain this credential attached to accounts spanning email services to banking platforms. Meeting the minimum requirement is not the same as creating genuine account protection.
111111
Repeating a single digit six times is among the most minimally effortful password choices a user can make. This string appears in leaked databases across virtually every major platform breach catalogued in the past two decades. Automated tools test all single-character repetition patterns before progressing to anything remotely more complex. Users often choose it for secondary or throwaway accounts without considering how reused credentials compound vulnerability. Even accounts considered low priority deserve protection that goes beyond a single repeated digit.
1234567
Seven sequential digits sit in a predictable middle ground that satisfies older platform length requirements without providing any real defense. This password appears consistently in annual compilations of the most frequently breached credentials globally. Credential-stuffing bots are specifically programmed to cycle through every complete numeric sequence during initial attack phases. The human reasoning behind choosing sequential numbers is entirely transparent to anyone designing an attack strategy. No account category is low-risk enough to justify a password this structurally simple.
Password1
The addition of a single digit to the word password was once enough to satisfy early platform complexity requirements. Millions of users adopted this exact formula when websites began enforcing alphanumeric rules in the early days of online services. Security researchers describe this as a textbook example of meeting rules without meaningfully improving protection. It appears regularly in breach reports precisely because it was so widely encouraged by outdated system prompts. A credential that simply appends one number to a dictionary word remains entirely vulnerable to modern attack methods.
12345
This five-digit sequence is perhaps the most culturally embedded weak password in internet history. It has been referenced in popular media as the archetypal example of poor security thinking for decades. Despite being one of the shortest commonly used passwords, it continues to appear in breach data tied to real active accounts. Platforms with no minimum-length enforcement allowed this credential to proliferate during the formative years of the web. It remains a fixture in every hacker dictionary and automated credential list in circulation today.
Iloveyou
Sentimental phrases entered password culture early as users sought credentials that were emotionally meaningful and easy to recall. This three-word declaration became one of the most globally common password choices across languages and regions. It gained additional notoriety through a major malware event in the early 2000s that used the phrase as a social engineering hook. Breach databases contain this credential in both lowercase and capitalised variations across millions of entries. Emotional resonance does not translate into cryptographic strength under any circumstances.
Admin
This term persists as a default credential on routers, content management systems and enterprise software installations worldwide. Network administrators and IT teams frequently encounter this word still active on devices that were never properly configured after setup. Attackers specifically target admin-level credentials because successful access grants control over entire systems rather than individual accounts. It represents a systemic vulnerability that extends well beyond personal accounts into corporate and infrastructure security. Any device or platform still using this as an active credential requires immediate reconfiguration.
Welcome
Organisations commonly assigned this word as a temporary credential for new employees during onboarding processes. The expectation was always that users would update it upon first login but that step was frequently skipped. It became so prevalent in corporate environments that it now appears prominently in enterprise-focused breach analysis reports. Attackers who gain access to company directories often test this term specifically due to its documented history in workplace IT culture. A credential used for convenience at the start of employment can create lasting institutional vulnerability.
Monkey
Single common nouns became popular password choices in the mid-internet era when dictionary attacks were less sophisticated. This particular word has maintained a puzzling but consistent presence in top-ten worst-password lists for many years. Security analysts theorise its popularity stems from being an unexpected word that users assumed would be difficult to guess. Modern dictionary attack tools contain extensive lists of common nouns drawn directly from previous breach data. Unpredictability is only meaningful when a word has not already been compromised and catalogued at scale.
Dragon
Fantasy and mythology-adjacent terms entered common password culture through gaming communities and early online forums. This word appears across gaming platform breaches as well as email and social media credential leaks. Its perceived strength comes from being a vivid and memorable noun that feels distinct from obvious numeric sequences. Breach database analysis reveals it is tested in the early stages of dictionary attacks alongside other culturally resonant single nouns. A memorable word is only valuable as a password component when it has not already been harvested from prior breaches.
Master
Authority-implying terms became popular among users who associated credential strength with the concept of control or superiority. This word appears frequently in breached credentials tied to both personal accounts and administrative access points. Its appeal lies in a psychological sense of dominance that users project onto their security choices. Cybersecurity professionals note that prestige-associated words are among the first dictionary entries tested in targeted attacks. The implied power of a word has no bearing on its actual resistance to automated cracking techniques.
Letmein
Conversational phrases entered password culture as users sought credentials that felt natural and personally expressive. This phonetic request has appeared consistently in breach data across industries and platform types for many years. It gained sustained notoriety by appearing repeatedly at the top of published worst-password lists compiled by major security organisations. The informal phrasing gives users a false impression of originality while the term is in fact exhaustively documented. A credential that reads like a casual spoken phrase is precisely the kind of string that automated tools are built to identify.
696969
Repeated digit pairs entered password databases in large volumes during early internet adoption when enforcement of complexity was minimal. This particular combination has maintained a long and consistent presence in annual breach data compilations. It offers no structural complexity beyond the repetition of a two-digit sequence doubled three times over. Platforms that have since introduced stricter requirements still find legacy accounts protected by credentials in this exact format. Numeric repetition patterns of any kind are fully covered by the baseline testing phase of any modern attack tool.
Sunshine
Positive and cheerful vocabulary became a common source of password inspiration for users seeking something uplifting and easy to remember. This nature-related noun appears across personal email, social media and e-commerce breach datasets in consistent volumes. Its appeal comes from its warmth as a concept but that familiarity is precisely what makes it so well represented in hacker dictionaries. Security training materials frequently cite emotionally positive single words as an especially risky password category. A pleasant association with a word is not a substitute for structural complexity in credential design.
Princess
Culturally iconic nouns drawn from childhood media and fairy tale traditions became a reliable source of password choices for many users. This title appears in breach data tied to accounts across all age groups and platform categories. Its enduring presence reflects how deeply embedded certain cultural touchstones become in the way people approach personal security decisions. Dictionary attack tools include extensive lists of culturally significant nouns compiled directly from years of breach analysis. Nostalgic or aspirational vocabulary carries the same vulnerability as any other word that has already been harvested from compromised databases at scale.
If any of these look familiar on your own list of credentials, share which habits you plan to change first in the comments.
