By: Bryan Tropeano
Most people have done it at least once. You sign up for a new account, the website demands a “strong password,” and after a few failed attempts, you settle on something easy to remember like “Football2020” or your kid’s name with a few numbers added at the end. If that sounds familiar, it may be time to change your password before hackers find it first.
Then months later, you forget all about it.
That small shortcut is exactly what hackers count on.
New research from Email Audit Engine shows just how predictable many passwords still are, even after years of warnings about cybersecurity risks. The company analyzed more than 1.3 billion passwords exposed in data breaches through the Have I Been Pwned database and found that millions of people continue using passwords that can be cracked in seconds.
At the top of the list sits the internet’s most infamous password: “123456.”
It appeared nearly 210 million times in exposed password records. The next most common passwords were just as weak, including “123456789,” “12345678,” “password,” and “admin.”
Here are the 10 most commonly exposed passwords in the study:
- 123456 — 209.9 million uses
- 123456789 — 80.9 million
- 12345678 — 70.3 million
- password — 52.2 million
- admin — 42 million
- 12345 — 31 million
- qwerty — 30.7 million
- 1234 — 30.2 million
- 1234567 — 19.8 million
- 1234567890 — 19.7 million
The findings paint a clear picture of how people create passwords. Most choose something familiar, personal, or simple enough to remember without writing it down.
Names ranked high across the database. “Daniel” appeared more than 2.5 million times as an exact password, followed by “Michael,” “Jessica,” and “Thomas.”
Years were another major trend. “2020” topped the list with more than 1.4 million uses, while birth-year style passwords like “1990,” “1994,” and “1989” also appeared frequently.
Sports fans did not fare much better. “Football” showed up more than 2.6 million times, making it the most commonly used sport in passwords. “Baseball” and “soccer” followed closely behind.
The most common sports-related password terms included:
- Football — 2.6 million
- Baseball — 1.9 million
- Soccer — 1.7 million
- Basketball — 1.2 million
- Hockey — 889,000
Football clubs were also heavily represented. “Liverpool” appeared nearly 1.8 million times, followed by “Barcelona,” “Juventus,” “Chelsea,” and “Arsenal.” American teams including the Pittsburgh Steelers, Philadelphia Eagles, and Dallas Cowboys also made the top 10.
Pop culture references continue to dominate password habits too. The band Blink-182 led the celebrity-related rankings, appearing more than 1.6 million times. Metallica, Eminem, and Cristiano Ronaldo also appeared repeatedly.
Among fictional characters, Superman claimed the top spot with more than 2.1 million appearances, followed by Naruto Uzumaki and Batman.
The top fictional character passwords included:
- Superman — 2.1 million
- Naruto — 1.6 million
- Batman — 1.3 million
- Tigger — 1.3 million
- Snoopy — 1 million
Even animals, foods, and household objects became predictable password choices. “Dragon” appeared more than 4.4 million times. “Monkey,” “orange,” “banana,” “computer,” and “diamond” were also among the most commonly exposed passwords.
Richard Rubenstein, CEO of Email Audit Engine, said the problem is not just that these passwords are simple. Many already exist in breach databases that hackers actively use to test login credentials across multiple websites.
That means someone using the same password for email, streaming services, online shopping, or banking could unknowingly give attackers access to several accounts at once.
Email accounts are especially valuable targets because they often serve as the recovery hub for everything else. Once hackers gain access to an inbox, they can reset passwords tied to financial accounts, work systems, and social media platforms.
The report recommends using long, random, and unique passwords for every account instead of relying on personal details or familiar words. Password managers can help generate and store complex passwords that are far harder to crack.
The study also stresses the importance of multi-factor authentication, which adds a second layer of protection even if a password becomes compromised.
Another overlooked step comes after changing a password. Users should review recovery settings, backup emails, forwarding rules, connected devices, and phone numbers to make sure attackers have not already planted another way back into the account.
The research serves as another reminder that convenience remains one of the biggest weaknesses in online security. Hackers no longer need sophisticated tactics when millions of people still rely on passwords they could guess in seconds.
