Passwords. What makes them bad?

It is not just the words in a password. It is how they are used, how predictable they are, whether they have been exposed online, and whether attackers already include them in password spraying and password cracking dictionaries.

Originally published as “Top 15 Worst Passwords,” this list has been updated for 2026 to reflect modern password attack trends, compromised credential exposure, and common password spraying patterns.

This list is not meant to be a universal ranking of the most-used passwords worldwide. Instead, it highlights high-risk passwords and password patterns that commonly appear in breach datasets, password spraying attempts, password cracking dictionaries, default-password workflows, and enterprise identity environments.

Even today, weak and compromised passwords continue to play a major role in account takeover, credential stuffing, and Active Directory attacks. According to the Verizon Data Breach Investigations Report (DBIR), compromised credentials as an initial access vector in 22% of reviewed breaches, and is the top initial breach vector.

Modern attackers rarely “hack” passwords manually. Instead, they rely on automation, using massive password dictionaries filled with commonly used passwords, predictable password patterns, leaked credentials, keyboard combinations, company references, and previously exposed passwords collected from breaches and infostealer malware.

For organizations using Active Directory and hybrid identity environments, these password patterns continue to create unnecessary risk.

Here are the top 25 worst passwords and password patterns still commonly targeted in 2026.

1. admin / administrator / root (or admin with only a few extra characters like admin1, admin!, adminX, admin123)
2. password2026 (and iterations of it, such as 2026Password, Password!2026, Password2026!)
3. password (and iterations of it, such as password1, password123, p4ssword, Password1!)
4. p@ssw0rd (or other common leetspeak variations attackers already include in password cracking dictionaries)
   Even today, password and its variations consistently appear in breach datasets and password spraying attacks.
5. 12345 (and iterations of it, such as 123456, 1234567, 12345678, 123456789)
6. 654321 (reversed versions of common passwords and number sequences)
7. iloveyou (and other simple emotional or personal phrases commonly used in passwords)
8. qwerty (and iterations of it, such as qwerty1, qwerty!, qwerty123, qwertyuiop, etc.)
9. 111111 (and others like it with repeated or sequential characters, such as 222222, 333333, 444444, 555555, etc.)
10. 123123 (and iterations of it, such as 12341234, 1234512345, 321321, etc.)
11. abc123 (and iterations of it, such as abcd123, abcd1234, 321cba, etc.)
12. asdfgh (and keyboard-pattern variations such as asdfghj, zxcvbnm, qazwsx, 1q2w3e4r, etc.)
13. Welcome1 (and onboarding or default password variations such as Welcome2026, Welcome123, NewUser123, etc.)
14. Changeme123 (and temporary password variations such as ChangeMe, Temp1234, TempPassword1, etc.)
15. Sports team names (such as Broncos2026, Lakers123, Yankees2026, football123, baseball123, etc.)
16. Seasonal passwords (such as Summer2026, Winter2026, Spring2026, Fall2026, etc.)
17. Website or company name passwords (passwords that contain the organization or website name, such as acmecompany2026, Acme123!, CompanyName1, etc.)
18. Personal information passwords (passwords based on pet names, birthdays, children’s names, phone numbers, usernames, email handles,  or other publicly discoverable information)
19. Multi-factor themed passwords (such as MFA2026, SecureLogin1, Login123!, etc.)
20. Passphrase variations with predictable patterns (such as PasswordPassword, LetMeIn123, MyPassword2026, etc.)
21. Short dictionary words, common phrases, and predictable substitutions, especially passwords that fall below current NIST length guidance or are already present on a commonly used, expected, or compromised-password blocklist.
22. Shared team or department passwords (such as Sales2026, Marketing123, SupportTeam1, Helpdesk2026, etc.)
23. Simple SaaS or cloud-themed passwords (such as Office365123, Google123, Teams2026, Salesforce1, etc.)
24. Passwords with common symbol substitutions (such as Summer2026!, Winter2026#, Password123$, etc.)
25. Lastly, compromised passwords that have already been exposed online along with your username or email address!

Why weak passwords still cause breaches.

Weak passwords are no longer just a consumer problem.

Modern identity attacks increasingly rely on password spraying, credential stuffing, and valid account abuse using passwords attackers already possess. Instead of targeting a single account repeatedly, attackers often attempt commonly used passwords across many accounts at once to avoid lockouts and detection.

Infostealer malware has also dramatically increased the amount of exposed credential data available to cybercriminals. In many cases, attackers are not guessing passwords at all. They are using credentials already stolen from infected devices, browser password stores, third-party breaches, or underground marketplaces.

For enterprise environments, this becomes especially dangerous because one compromised password can provide access to VPNs, SaaS applications, email systems, cloud environments, and Active Directory infrastructure, especially when employees reuse passwords across personal and work accounts.

This is one reason why organizations increasingly focus on compromised password screening and continuous password monitoring rather than relying only on password complexity requirements.

Why “STRONG” passwords can still be unsafe.

A password may appear strong based on traditional complexity rules and still be unsafe.

For years, organizations focused heavily on password requirements involving uppercase characters, lowercase characters, numbers, symbols, and periodic password changes. While complexity still matters, many attackers now target passwords that already exist in breach datasets or password cracking dictionaries.

For example, Password!2026 may technically satisfy many password policies, but it still follows highly predictable patterns commonly used in password spraying attacks.

This is one reason modern password guidance has shifted toward identifying weak, predictable, reused, and compromised passwords rather than relying only on complexity rules alone.

NIST SP 800-63B Digital Identity Guidelines recommends screening passwords against known compromised password lists and blocking common or predictable passwords. NIST also recommends avoiding unnecessary password expiration policies unless compromise is suspected.

As identity attacks continue evolving, organizations increasingly recognize that a “complex” password is not necessarily a safe password if attackers already know it.

Online Users

A strong password isn’t necessarily a safe password.

Although many passwords meet traditional complexity requirements, they may still be unsafe if they already exist in password cracking dictionaries, breach datasets, or exposed credential lists used by cybercriminals.

Using unique passwords for every account remains one of the most important steps users can take to reduce risk. Reusing passwords across websites dramatically increases exposure because a breach affecting one site can quickly lead to credential stuffing attacks against banking accounts, email platforms, streaming services, corporate logins, and other online systems.

Users should also avoid predictable password patterns tied to seasons, years, sports teams, family names, birthdays, or company references. Attackers actively target these patterns because they continue to be widely used.

Longer passphrases combined with unique passwords and multi-factor authentication provide significantly stronger protection than short, predictable passwords rotated every few months.

You can see if a sample password is generally safe, weak, or compromised here.

Organizations

Don’t let employees use weak or compromised passwords.

Many organizations still rely primarily on traditional password complexity requirements while allowing passwords that are predictable, reused, or already exposed online. Unfortunately, these passwords remain highly vulnerable to modern credential attacks.

For Active Directory environments, predictable password patterns often emerge around onboarding workflows, help desk resets, company naming conventions, seasonal password rotations, and default passwords. Attackers specifically build password spraying dictionaries around these common enterprise behaviors.

Organizations increasingly need the ability to identify and block:

• weak passwords
• compromised passwords
• reused passwords
• password similarities
• company-related password patterns
• passwords already exposed in breach datasets
• seasonal password-rotation patterns
• default, onboarding, and help desk reset passwords
• administrator, service account, and shared account password patterns
• username-based or email-handle-based passwords

Modern password security strategies increasingly include compromised password screening, continuous password monitoring, banned password lists, password similarity blocking, and Active Directory password protection controls.

With automated weak password filtering, fuzzy password matching, password similarity blocking, and custom password dictionary filtering, enterprises can better align with NIST password guidance while reducing exposure to credential-based attacks.

To see how it can work, review this solution brief from Cybersecurity Insiders.