Lessons

The Worst Passwords of All Time (and What They Teach Us)

By Leo Martin · · 7 min read

Every year, researchers comb through passwords exposed in data breaches and publish a "most common" ranking. And every year it's the same suspects: simple number runs, the word "password" itself, keyboard patterns and a few favourite names. It would be funny if it weren't so risky. The good news is that these hall-of-fame howlers double as a perfect checklist of what to avoid — and the fixes are easy.

The usual offenders

You already know them, because they never change. The classics include simple ascending number sequences, the literal word password (sometimes dressed up with a capital or a number), repeated single characters, and keyboard walks like qwerty or asdfgh. Sports teams, first names, the word admin and the ever-popular letmein round out the list. People also love putting a year on the end of a common word and calling it strong.

What's striking isn't that bad passwords exist — it's how concentrated they are. A surprising share of accounts lean on the same tiny set of choices. For an attacker, that's a gift. They don't need to be clever; they just need to try the obvious favourites first.

Why these specific passwords are so dangerous

The danger isn't only that they're short or simple. It's that they're famous. Because these exact strings appear in breach after breach, they sit at the very top of the lists that cracking tools work through. As I describe in how hackers actually guess your passwords, attackers start with the most common choices and the most predictable tweaks. A password that's on a "worst of" list isn't just weak — it's the first thing anyone tries.

This is the heart of the lesson: predictability is the real enemy, not length alone. A choice can feel personal and clever to you while being utterly obvious to a tool that has seen millions of similar attempts.

Lesson 1: Avoid anything common or obvious

If a password is a real word, a name, a date, a sports team, or a pattern your fingers can walk across the keyboard, assume an attacker's software already has it. The same goes for "smart" tweaks — capitalising the first letter, swapping letters for look-alike numbers, or adding the current year. Those moves are so common that the tools expect them. The way out is genuine randomness, not a dressed-up common word. You can sanity-check any candidate in our password analyser; predictable choices score poorly even when they look busy.

Lesson 2: Never reuse, even a good password

Here's a subtler trap. Even if you craft one excellent password, using it across several sites turns a single breach into a master key. The worst-passwords lists exist because breaches happen constantly — and when they do, every account sharing that password is exposed at once. Uniqueness per account is what contains the damage. One leaked site stays one leaked site.

Lesson 3: Make the computer do the choosing

The cleanest way to escape every entry on the worst-passwords list is to stop choosing passwords yourself. Humans gravitate toward the familiar; that's literally why the lists stay the same year after year. A generator picks characters at random with no human bias, so the output never resembles a common word or pattern. Spin one up with our free password generator — it runs in your browser and produces strings no dictionary would ever guess.

From worst to best: a quick upgrade path

If you suspect one of your accounts is sitting on a hall-of-fame password, here's the fast fix:

  • Start with your most important accounts — email first, since it can reset everything else.
  • Generate a long, random replacement rather than tweaking the old one.
  • Store it in a password manager so you never have to memorise or reuse it.
  • Turn on two-factor authentication for an extra layer in case a password ever leaks.

The worst passwords endure because convenience is tempting and good habits feel like effort. But with a generator and a manager, the strong choice becomes the easy one — and you'll never end up on next year's list.

Prefer something you can recall? A long passphrase of random words can be both memorable and strong. See how to create a strong password you'll actually remember.

Frequently asked questions

Why do the same bad passwords appear every year?

Because they're effortless to type and easy to remember, and many people prioritise convenience over security. Simple sequences and common words keep topping the lists year after year for that reason.

Is my password bad if it isn't on the worst list?

Not automatically, but the lists are only the tip of the iceberg. Any common word, name, date or keyboard pattern is risky even if it never appears on a published ranking. Aim for length and randomness instead.

What makes a password genuinely strong?

Length, randomness and uniqueness. A long password that isn't a word, pattern or personal fact, and that you use on only one account, is the goal. Generating it rather than inventing it helps a lot.

Should I just add numbers to a common password?

No. Tacking a year or a 123 onto a common word is one of the first things cracking tools try. The base word stays predictable. Start from randomness rather than dressing up a weak choice.

This article is general security education, not professional advice.