Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress
    Huntress Cybersecurity
    Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress
    Huntress Cybersecurity
    Exposed RDP: The Misconfiguration Attackers Keep Exploiting
    Huntress Cybersecurity
    Exposed RDP: The Misconfiguration Attackers Keep Exploiting
    Huntress Cybersecurity
    Threat Actor Defense Evasion: How Attackers Disable AV & EDR
    Huntress Cybersecurity
    Threat Actor Defense Evasion: How Attackers Disable AV & EDR
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Blog
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportBlogContact
Search
Close search
Get a Demo
Start for Free
HomeBlog
These Are the Most Common Passwords Hackers Target in 2026
Last Updated:
May 15, 2026

These Are the Most Common Passwords Hackers Target in 2026

By:
Brenda Buckman
Share icon
Glitch effectGlitch effectGlitch effect

Key Takeaways

  • The most common password patterns are just a series of numbers: 123456, 123456789, and 12345678. 

  • People are more likely to choose an easy-to-remember password over a more secure one.

  • Weak passwords can lead to credential attacks, like password spraying or brute force attacks.  

  • It’s best to use a long, random, and unique password that combines letters, numbers, and characters.

Are you using the same password you came up with on your very first login, however many years ago?

You’re not alone. About 23% of people admit to using the same password across three or more accounts. But is it one of the most common passwords?

If your password made this list, it’s time to consider a change. Using easy-to-guess and common passwords is almost as bad as writing your credentials down on a sticky note that you leave on your monitor. We don’t recommend it. 

Learn about the most common passwords, the password attacks they enable, and how to create a strong password that holds up against today's threats.

List of 20 most common passwords

NordPass recently compiled a list of the most commonly used passwords based on data exposed during cyberattacks from 44 different countries. The results? Well, they’re not very unique, which isn’t surprising considering password statistics show that 46% of people are more likely to choose an easy-to-remember password than a secure one. 

Here are the most common passwords, all of which take less than a second for a threat actor to crack.

Rank

Password

1

123456

2

123456789

3

12345678

4

password

5

qwerty123

6

qwerty1

7

111111

8

12345

9

secret

10

123123

11

1234567890

12

1234567

13

000000

14

qwerty

15

abc123

16

password1

17

iloveyou

18

11111111

19

dragon

20

monkey




How weak passwords enable password attacks

Using common passwords makes you an easy target for password attacks. In fact, 35% of people blame weak passwords for getting hacked. Many cyberattacks focus on using credentials to gain access to a system, account, or network to cause havoc. 

Here are some examples of cyber threats that target passwords:

Brute force attacks 

A brute force attack is a password attack where automated tools rapidly cycle through possible credential combinations, or manually guess based on personal information gathered on the target.

The effectiveness of this attack hinges on password complexity; simple passwords are cracked quickly, while complex ones can take too long, forcing attackers to move on.

Password spraying

Password spraying is a type of cyberattack where attackers try to access numerous accounts using just a few commonly used passwords. Instead of trying many password variations on a single account, they "spray" one password across a large number of accounts, before moving on to try another common password. 

This tactic helps them avoid triggering account lockout mechanisms that would occur with traditional brute force attacks. Essentially, attackers take advantage of the fact that many people use weak, predictable passwords.

Credential stuffing 

Credential stuffing is a password attack where threat actors use stolen credentials from previous data breaches to gain unauthorized access to other online accounts.They exploit the fact that many people reuse the same credentials across multiple platforms.

Automated tools quickly test these stolen credentials against various websites and services, aiming to find matches. If a match is found, the attacker can access the associated account.

Dictionary attack

A dictionary attack attempts to crack passwords by testing words and number combinations from a list of common terms. Automated tools try these words and variations across accounts.

These attacks target easily guessed passwords, like common words or simple number combinations. Unlike brute force, it focuses on likely choices, making it efficient but vulnerable to complex passwords.


How to create a strong password policy

Knowing how to create a strong password is only half the battle, a strong password policy means applying those habits consistently across every account. Here are the essentials:


  • Avoid any of the most common passwords: Using widely known passwords like "123456" or "password" is like leaving your front door unlocked—and wide open. Threat actors have access to vast databases of these common passwords, and automated tools can crack them in mere seconds, granting them easy access to your accounts.

  • Don’t repeat passwords: Reusing passwords across multiple accounts creates a single point of failure. If one of your accounts is compromised, all accounts sharing that password become vulnerable. This domino effect can lead to widespread security breaches and significant data loss.

  • Use a combination of letters, numbers, and characters: Strong passwords are built on complexity. Using both uppercase and lowercase letters, as well as numbers and special characters, makes your passwords significantly harder for threat actors to crack.

  • Use a password manager: Reputable password managers generate and securely store your passwords. This eliminates the need to remember multiple complex passwords and helps you create unique ones for each account.

  • Enable multi-factor authentication (MFA): Activate MFA whenever possible. This adds an extra layer of security by requiring a second form of verification.   

  • Be wary of phishing attempts: Be cautious of suspicious emails or messages that ask for your password. Legitimate services will never request your password via email.

  • Check for breached passwords: Use online tools to see if your passwords have been compromised in past data breaches. If so, change them immediately.

  • Think passphrases, not passwords: A password like P@$$w0rd! looks intimidating, but modern AI-powered cracking tools can break it in under a minute. The smarter approach is a passphrase — four or more random, unrelated words strung together

  • Use a password manager as your single source of truth: No one can reliably memorize 100 unique 16-character strings — and trying leads directly to the Password Reuse Trap. One breach at a minor shopping site becomes the key to your bank account when you recycle passwords. A dedicated password manager such as Bitwarden, 1Password, or Dashlane solves this completely.


A weak vs strong password.


Protect your business from password attacks

Avoiding the most common passwords is a strong first step, but protecting your business from password attacks requires continuous identity monitoring across your entire organization.

We understand what threats like credential theft and unauthorized access mean for your business, and we’re here to help. Huntress has you covered with managed ITDR — detecting and responding to identity-based threats and password attacks across your organization 24/7.


FAQs

What is the most common password?

123456 is the most commonly used password, with more than 3 million people using it. 

What is the easiest password to crack? 

Any of the most commonly used passwords are extremely easy to crack, including 123456, password, and qwerty. 

What is the strongest password? 

A strong password is long, unique, and random. It should be at least 16 characters long, not reused across multiple accounts, and consist of a random assortment of letters, numbers, and symbols with no personal meaning. 


Categories
Cybersecurity Trends
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab

Endpoint Protection For Every Business

Gain the Hacker's Edge — Huntress Managed EDR backed by our 24/7 AI-assisted SOC gives you unmatched protection.
Get Pricing
Share
Facebook iconTwitter X iconLinkedin iconDownload icon
Glitch effect

You Might Also Like

  • 36 Must-Know Password Statistics To Boost Cybersecurity (2026)

    The top password statistics might surprise you. Learn how common poor password hygiene is, plus tips for protecting your precious credentials better.

  • 13 Cybersecurity Frameworks for 2026 and How to Choose

    Discover some of the most common cybersecurity frameworks by what they’re best for, plus tips for choosing the right one for your organization.

  • Exposed Passwords on Endpoints Are More Common Than You Think

    Discover the alarming prevalence of exposed passwords on endpoints and how to safeguard your credentials. Learn from Huntress' findings and insights.

  • Seven Don’ts of Security Awareness Training

    Many security awareness training solutions aren’t easy to manage, and worse, they affect knowledge retention. Let’s review the common SAT features that diminish your ability to improve your security posture.

  • Level Up Your Business Security: Huntress Launches New Collaboration with Microsoft

    Huntress is collaborating with Microsoft to help your business get the most out of your Microsoft security investments.

  • The 36 Most Common Cyberattacks [2025]

    Learn about some of the most common cyberattacks, how threat actors access computers and networks, and how to lower future risks.

  • Boring Isn’t Harmless: The Risks Behind Common Cyberattack Tradecraft

    Don’t underestimate basic attacker tradecraft tactics. Learn how common cybersecurity tradecraft succeeds and get practical tips from the Huntress SOC to shut it down.

  • Top 10 Worst Places to Store a Password

    Check out the top 10 worst places to store your password, as commented by IT and information security professionals.

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
Privacy • Terms
By submitting this form, you accept our Terms of Service & Privacy Policy
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 250k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy