Every year, security researchers analyze leaked credential databases to find out what passwords people actually use. The results are consistently alarming — and remarkably consistent year after year. Here's what 2024's breach data tells us.
The top offenders
Based on analysis of breach databases compiled through 2024, the most common passwords remain depressingly predictable:
123456— the perennial #1, appearing in hundreds of millions of accountspassword,password1,Password1!123456789,12345678,1234567890qwerty,qwerty123,Qwerty1!iloveyou,sunshine,princessadmin,letmein,welcomemonkey,dragon,master
⚠️ If you use any password on this list: Change it immediately. These passwords are tried first in every dictionary attack, and they appear in every wordlist a cracker would use. They provide essentially zero security.
Patterns that don't help
Beyond specific words, certain patterns are so common they're modeled by every serious cracking tool:
- Any word +
1or123(e.g.,football123) - Any word +
!at the end (e.g.,sunshine!) - Capitalizing the first letter (e.g.,
Dragon) - Leet-speak substitutions:
@→a,0→o,3→e,1→l - Years appended:
password2024,password2025 - Keyboard walks:
qwerty,asdfgh,1qaz2wsx
Why does this keep happening?
Humans are bad at choosing random strings. We naturally gravitate toward meaningful words, familiar patterns, and minimal effort. When a site forces us to add complexity, we apply the same predictable transformations. The solution isn't to try harder to be random — it's to use a tool that is actually random.
✅ The fix is simple: Let a generator create your passwords. A random 16-character string has nothing in common with any breach wordlist. Use our generator and a password manager — no memorization required.