Welcome to the Hall of Shame
Throughout the history of the internet, humans have consistently proven one thing: we are terrible at creating passwords.
This museum documents the most common, most obvious, and most hilariously insecure passwords ever used.
You've probably used at least three of these.
Breach data provided by haveibeenpwned. Special thanks to @troyhunt for maintaining this invaluable security resource.
#1 WORST
password
"The Classic"
The most infamous password in history. When websites started requiring passwords, humanity collectively decided to use... the word "password." Billions of people thought this was clever. It was not.
Still used by approximately 2.5 million people as of 2024. These people walk among us. They could be your coworkers. They could be your friends. They could be you.
#2 WORST
123456
"The Lazy One"
When "password" got banned, humanity pivoted to literally the first six numbers. The thought process: "What if I just... count?"
Used by over 23 million accounts. It's the password equivalent of not trying. At all. Ever. In any capacity.
#3 WORST
qwerty
"The Keyboard Walk"
"I'll just type the first row of letters on my keyboard. That's random, right?"
Wrong. So, so wrong. Used by millions who thought they were being clever by using a "pattern." Hackers check this one first. It's literally in every password dictionary. Congratulations, you played yourself.
#4 WORST
letmein
"The Desperate Plea"
The password of someone who's already forgotten their password multiple times. This is what you use when you've given up on security entirely and just want to access your damn email.
A cry for help disguised as authentication. Hackers appreciate the honesty.
#5 WORST
admin
"The IT Guy Special"
Default passwords are supposed to be changed immediately. The keyword here is "supposed to."
Used on countless routers, databases, and admin panels worldwide. IT professionals everywhere are weeping. This is why we can't have nice things.
#6 WORST
12345678
"The Overachiever"
"Website requires 8 characters? I'll count to 8. Problem solved."
This is what happens when someone follows the rules technically but not spiritually. You met the requirement. You did not meet the intention. Security experts are facepalming.
#7 WORST
password123
"The False Innovation"
"They said 'password' was too weak. So I added numbers. I'm basically a security expert now."
The password equivalent of adding "new and improved" to the label while changing nothing. This is the second thing hackers try after "password."
#8 WORST
iloveyou
"The Romantic Disaster"
Used by people who want their password to be meaningful and memorable. Mission accomplished. It's memorable to everyone, including hackers.
Also the name of a devastating computer worm from 2000 that infected millions of computers. This password has caused both heartbreak and actual financial damage.
#9 WORST
welcome
"The Polite Hacker's Choice"
"Welcome! Come right in! No need to authenticate properly!"
This password is basically holding the door open for attackers while offering them refreshments. It's not security. It's hospitality. And it's terrible.
#10 WORST
1q2w3e4r
"The Keyboard Shuffle"
"I'll alternate between numbers and letters down the keyboard. That's random!"
No. That's a pattern. A very obvious pattern that's been in password dictionaries since 2005. You're not clever. You're predictable. We're all predictable.
⚠️ IMPORTANT DISCLAIMER
Do not use any of these passwords. Ever. Under any circumstances.
If you are currently using one of these passwords, change it immediately.
If you're thinking "but I added a ! at the end" — that doesn't count. Change it.
If you're thinking "but mine is password124, not password123" — still doesn't count. Change it.
This museum exists to educate and entertain. Not to provide password suggestions.
→ Try our Password Generator (it only makes terrible passwords too)
Brought to you by $PWD123 - For people who forget good passwords anyway.