The Most Hacked Passwords by Country (2026 Data)
A data-driven look at the most common passwords globally. From sports teams to local names, discover what people in different countries are using to (fail to) protect themselves.
The Global State of Insecurity
Every year, security researchers analyze billions of leaked credentials from the dark web to identify the most common passwords. Despite decades of warnings from governments and cybersecurity firms, the data for 2026 confirms a frustrating truth: humans are creatures of extreme habit. While 123456 remains the undisputed "queen" of bad passwords globally, local culture, language, and national pride heavily influence our poor security choices.
The Global Top 5: A Race to the Bottom
| Rank | Password | Time to Crack | Popularity |
|---|---|---|---|
| 1 | 123456 |
< 1 second | Millions |
| 2 | password |
< 1 second | High |
| 3 | 123456789 |
< 1 second | Very High |
| 4 | guest |
< 1 second | Enterprise-focused |
| 5 | qwerty |
< 1 second | Keyboard-focused |
Cultural Fingerprints in Security
When we look deeper than the global averages, regional patterns emerge that reflect the specific zeitgeist of each nation. Attacker's don't just use one global dictionary; they use localized ones designed for specific regions.
- Germany: The German sense of order is reflected in their bad passwords.
passwort,hallo, andschatz(treasure/darling) are top contenders. Interestingly, "123456" is still #1, but German-language variants are significantly more common than English ones in local breaches. - France: Romance and patriotism lead the way.
azerty(their keyboard layout) is #1, followed bydoudou(a term of endearment),soleil(sun), andmarseille(a major football hub). - Japan: Patterns here often revolve around Romanized Japanese (Romaji).
passwordis #1, butsakura,suzuki(common surname), andarigatoappear frequently in domestic leaks. - United Kingdom: Football is the primary driver.
liverpool,arsenal, andchelseaare consistently in the top 50, showing that fans value their team loyalty more than their account security.
.es email or a Spanish IP address, they will run a dictionary of the top 10,000 Spanish words and football teams before they ever try a random brute-force attack. Using a "local" reference doesn't make your password harder; it makes it more predictable for a regional attacker.
Why Do We Keep Doing This?
The answer lies in **The Path of Least Resistance**. We choose passwords that are easy to type on a tiny mobile screen or easy to remember when we are tired or stressed. The human brain is not built to remember a 20-character random string like xK9#mP2$qL7!nR4, so we fall back on what is familiar. Unfortunately, what is familiar to you is also familiar to a database of common words used by hackers.
How to Beat the Statistics
The only way to win this game is to **stop being human.** Or at least, stop letting your human brain make the decisions.
- Avoid Personal/Cultural Anchors: Never use a pet's name, a city, a sports team, or a common word in your native language.
- Use Passphrases, Not Passwords: If you must remember a password, use four or five completely unrelated, random words.
CorrectHorseBatteryStapleis much harder to crack thanSp41n2024!. - Let a Manager Handle It: The ultimate defense is a password manager. It generates a wall of digital noise that no human brain could ever produce and no cultural dictionary could ever predict.