The Most Common Passwords of 2026: Did Yours Make the List?
This article highlights the severe security risks associated with using common, easily guessable passwords. It details how threat actors leverage weak credentials through brute force, password spraying, and credential stuffing attacks to gain unauthorized access to systems, emphasizing the need for robust identity protection and password management.
Authors: Brenda Buckman
Source:
Huntress
Detection / HunterGoogle
What Happened
Many people still use weak, easily guessable passwords like '123456' or reuse the same password across multiple accounts. This puts everyone at risk because hackers use automated tools to quickly guess these passwords and break into accounts. If a hacker gets into one account, they might be able to access others, including sensitive work or financial systems. To protect yourself, use a password manager to create and store long, unique passwords for every account, and turn on multi-factor authentication (MFA) wherever possible.
Key Takeaways
- Approximately 23% of users reuse the same password across multiple accounts, and 46% prioritize easy-to-remember passwords over secure ones.
- The most common passwords, such as '123456' and 'password', can be cracked by threat actors in less than a second.
- Weak passwords directly enable automated cyberattacks, including brute force, password spraying, credential stuffing, and dictionary attacks.
- Strong password policies should mandate unique, complex passphrases or 16-character random strings, supported by enterprise password managers and MFA.
Affected Systems
- User Accounts
- Authentication Systems
- Identity Providers
Attack Chain
Threat actors acquire or guess weak credentials using automated tools or lists from previous data breaches. They employ techniques such as brute force, password spraying, credential stuffing, or dictionary attacks to authenticate against target systems. Once successful, the attackers gain unauthorized access to user accounts, networks, or sensitive data, often using this initial access to facilitate further compromise.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Low — EDR solutions primarily focus on endpoint process execution and file modifications, and may not natively capture centralized authentication events unless integrated with identity providers. Network Visibility: Medium — Network sensors can detect high volumes of authentication traffic indicative of brute force attacks, but encrypted payloads often obscure the specific credentials being tested. Detection Difficulty: Moderate — While high-volume brute force attacks are relatively easy to detect via failed login thresholds, low-and-slow password spraying or credential stuffing can blend in with normal user behavior.
Required Log Sources
- Active Directory Security Logs (Event ID 4625, 4624)
- Identity Provider (IdP) Logs
- Application Authentication Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for a high volume of failed login attempts originating from a single IP address across multiple distinct user accounts, which may indicate password spraying. | Authentication logs, IdP logs | Credential Access | Medium |
| Identify successful logins immediately following a series of rapid failed login attempts for the same user account, suggesting a potentially successful brute force or dictionary attack. | Active Directory Security Logs | Credential Access | Low |
Control Gaps
- Lack of Multi-Factor Authentication (MFA)
- Permissive password complexity policies
- Absence of Identity Threat Detection and Response (ITDR) monitoring
Key Behavioral Indicators
- Multiple failed login attempts (e.g., Windows Event ID 4625)
- Logins originating from unusual geographic locations or unknown ASNs
- Rapid successive logins across different accounts from the same source IP
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit active directory or identity provider configurations to ensure account lockout policies are enabled to thwart brute force attacks.
Infrastructure Hardening
- Evaluate enforcing strong password policies requiring a minimum of 16 characters or the use of passphrases.
- Consider implementing Multi-Factor Authentication (MFA) across all external-facing and critical internal systems.
- If supported by your security stack, consider deploying an Identity Threat Detection and Response (ITDR) solution to monitor for credential abuse.
User Protection
- Consider deploying a reputable enterprise password manager (e.g., Bitwarden, 1Password, Dashlane) to prevent password reuse and encourage complex credentials.
- Evaluate checking user credentials against known breached password databases and forcing resets for compromised accounts.
Security Awareness
- Consider educating employees on the dangers of password reuse and the benefits of using passphrases.
- Train staff to recognize phishing attempts designed to steal credentials, emphasizing that legitimate services will not request passwords via email.
MITRE ATT&CK Mapping
- T1110 - Brute Force
- T1110.001 - Password Guessing
- T1110.003 - Password Spraying
- T1110.004 - Credential Stuffing