Most people know they should use strong passwords… but let’s be honest, weak and predictable passwords are still everywhere. Every year, the same familiar choices keep appearing on “most common password” lists – and unfortunately, attackers know it too.
The reality is simple: cyber criminals do not always need sophisticated hacking tools if people continue choosing passwords like:
- 123456
- password
- qwerty
- abc123
- password1
These are still among the most commonly used passwords in 2026 according to NordPass who recently compiled a list of the most commonly used passwords based on data exposed during cyberattacks from 44 different countries.
| Rank | Password |
| 1 | 123456 |
| 2 | 123456789 |
| 3 | 12345678 |
| 4 | password |
| 5 | qwerty123 |
| 6 | qwerty1 |
| 7 | 111111 |
| 8 | 12345 |
| 9 | secret |
| 10 | 123123 |
| 11 | 1234567890 |
| 12 | 1234567 |
| 13 | 000000 |
| 14 | qwerty |
| 15 | abc123 |
| 16 | password1 |
| 17 | iloveyou |
| 18 | 11111111 |
| 19 | dragon |
| 20 | monkey |
If your password appears on one of these lists – or follows a similar pattern – it could potentially be cracked in seconds using automated tools.
Why Weak Passwords Are Still So Common 🔑
The biggest reason is convenience.
People naturally choose passwords that are easy to remember:
- Names
- Birthdays
- Keyboard patterns
- Repeated numbers
- Simple words
From a usability perspective, it makes sense. From a cybersecurity perspective… not so much.
Another major issue is password reuse. Many people still use the same password across multiple services. That means if one website suffers a breach, attackers can try the same credentials elsewhere – email accounts, Microsoft 365, banking, social media, cloud platforms, and business systems.
This is known as credential stuffing, and it remains one of the easiest ways for attackers to gain access to accounts.
The Problem With “Slightly Better” Passwords
A lot of users think they are being secure by adding:
- A capital letter
- A number
- An exclamation mark
So instead of password, they use:
Password123!
Unfortunately, attackers expect this too.
Modern password cracking tools are built around common human behaviour and predictable patterns. So while Password123! might technically meet some password complexity requirements, it is still far weaker than most people realise.
How Attackers Actually Exploit Weak Passwords ⚠️
In many cases, passwords are not “hacked” in the Hollywood sense.
Attackers often use:
- Automated password spraying
- Dictionary attacks
- Credential stuffing
- Brute force attempts against common password lists
They simply test millions of known weak passwords against login portals and wait for people to hand over access unintentionally.
And sadly… it works.
For businesses, a single compromised account can lead to:
- Email compromise
- Malware infections
- Data theft
- Financial fraud
- Microsoft 365 compromise
- Ransomware incidents
Sometimes all from one reused password.
What Businesses and Users Should Do Instead ✅
Good password security does not need to be complicated, but it does need to be consistent.
We generally recommend:
1. Use Unique Passwords Everywhere
Never reuse passwords across services or accounts.
2. Make Passwords Long
Length matters more than complexity alone. Random passphrases are often better than short “complex” passwords.
3. Use a Password Manager
Password managers remove the temptation to reuse passwords and allow genuinely strong credentials to be generated automatically.
4. Enable Multi-Factor Authentication (MFA)
Even if a password is compromised, MFA adds another barrier that attackers must overcome.
5. Avoid Predictable Patterns
Names, dates, football teams, pets, keyboard sequences – attackers know all the classics.
Are Password Managers Safe?
This is a question we get asked a lot.
No solution is perfect, but a reputable business-grade password manager is significantly safer than:
- Reusing passwords
- Storing passwords in browsers
- Keeping spreadsheets of credentials
- Writing passwords on sticky notes (yes… we still see this!)
Password managers also help businesses:
- Share credentials securely
- Control access
- Audit password usage
- Reduce risky habits across teams
The Bigger Lesson
The most common password lists are not really about people being careless.
They highlight something more important:
Convenience nearly always wins unless security is made easy.
That is why modern cybersecurity is less about blaming users and more about building systems and processes that support safer behaviour by default.
Because realistically, if a password is easy to remember… there is a decent chance it is also easy to guess.
The Holistic IT Approach
At Holistic IT, we believe cybersecurity should be practical, realistic, and built around how people actually work – not just technical theory.
That means helping businesses:
- Deploy secure password management properly
- Roll out MFA across Microsoft 365 and business systems
- Reduce password reuse risks
- Improve staff awareness without fearmongering
- Build layered security that supports real-world business operations
Strong passwords alone are not enough anymore, but they are still one of the most important first lines of defence.
And if your current password could appear on a “Top 20 Passwords” list… it might be time for a rethink.
Want to Improve Your Password Security?
If you are unsure whether your business is relying on weak passwords, reused credentials, or risky login practices, we can help review your current setup and recommend practical improvements without the jargon.
📞 Speak to the team at Holistic IT to start building a smarter, safer approach to cybersecurity.
