Recent research reveals the most vulnerable passwords of 2026 — additionally, the research determined the most commonly hacked categories of passwords.

This research was conducted by Plasma. The methodology involved assessing Comparitech’s Most Common Password report and NordPass’s Top 200 Most Common Passwords list, then leveraging KeywordTool to determine search volumes to find the 25 most common passwords based on global popularity. According to the research, higher search volumes could suggest higher public interest, which could lead to higher password usage. Therefore, this places those passwords at a greater risk of being hacked. 

The Most Vulnerable Password of 2026: “password” 

With a search volume of 10,304,600 in the past year, “password” is the most insecure password of 2026. This finding corroborates recent reports that password convenience is favored over password security in many instances. 

Top 25 Most Vulnerable Passwords of 2026 

1. password
2. admin
3. qwerty
4. 111111
5. 12345678910
6. minecraft
7. 1111
8. 654321
9. 12345
10. 123456
11. admin123
12. 123
13. Pass@123
14. 1234567
15. 1234567890
16. Aa123456
17. 123456789
18. 112233
19. 12345678
20. qwerty123
21. admintelecom
22. 123123
23. P@ssw0rd
24. abcd1234
25. 102030

The research additionally assessed the most insecure password categories, finding the most vulnerable to be ascending/descending letters or numbers. 

10 Most Vulnerable Password Categories of 2026 

1. Ascending/Descending
2. Patterned 
3. Alphanumeric combinations
4. Typing patterns 
5. Repeated digits
6. Capitalization
7. Common words 
8. “Password” variants 
9. Admin
10. Names

A spokesperson from Plasma told Security magazine, “Our research indicates that a significant number of users continue to believe that combining letters, symbols, and numbers is sufficient to secure their accounts in 2026. While a password may appear robust, attackers can rapidly exploit predictable patterns such as sequential numbers, repeated characters, or common keyboard layouts through brute force methods. A strong password should function as an access point, designed to resist systematic attack rather than prioritise memorability. Combined with multifactor authentication, this approach materially reduces the risk of unauthorised access.”