The 25 Most Vulnerable Passwords of 2026

Recent research reveals the most vulnerable passwords of 2026 — additionally, the research determined the most commonly hacked categories of passwords.
This research was conducted by Plasma. The methodology involved assessing Comparitech’s Most Common Password report and NordPass’s Top 200 Most Common Passwords list, then leveraging KeywordTool to determine search volumes to find the 25 most common passwords based on global popularity. According to the research, higher search volumes could suggest higher public interest, which could lead to higher password usage. Therefore, this places those passwords at a greater risk of being hacked.
The Most Vulnerable Password of 2026: “password”
With a search volume of 10,304,600 in the past year, “password” is the most insecure password of 2026. This finding corroborates recent reports that password convenience is favored over password security in many instances.
Top 25 Most Vulnerable Passwords of 2026
- password
- admin
- qwerty
- 111111
- 12345678910
- minecraft
- 1111
- 654321
- 12345
- 123456
- admin123
- 123
- Pass@123
- 1234567
- 1234567890
- Aa123456
- 123456789
- 112233
- 12345678
- qwerty123
- admintelecom
- 123123
- P@ssw0rd
- abcd1234
- 102030
The research additionally assessed the most insecure password categories, finding the most vulnerable to be ascending/descending letters or numbers.
10 Most Vulnerable Password Categories of 2026
- Ascending/Descending
- Patterned
- Alphanumeric combinations
- Typing patterns
- Repeated digits
- Capitalization
- Common words
- “Password” variants
- Admin
- Names
A spokesperson from Plasma told Security magazine, “Our research indicates that a significant number of users continue to believe that combining letters, symbols, and numbers is sufficient to secure their accounts in 2026. While a password may appear robust, attackers can rapidly exploit predictable patterns such as sequential numbers, repeated characters, or common keyboard layouts through brute force methods. A strong password should function as an access point, designed to resist systematic attack rather than prioritise memorability. Combined with multifactor authentication, this approach materially reduces the risk of unauthorised access.”
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!





