2026's worst passwords still expose millions to AI-powered hacking

One weak password becomes a total collapse of your digital security.
When a single account is breached, attackers gain access to all accounts that share the same credentials.

Each year, the publication of the world's most common passwords functions less as a warning than as a mirror—reflecting, with uncomfortable clarity, how stubbornly human habits resist the pace of technological threat. In 2026, Chile is no exception: millions of accounts remain protected by sequences a child could guess, while artificial intelligence has reduced the art of password cracking to a matter of seconds. The gap between the tools of attackers and the habits of ordinary people has never been wider, and the consequences of that gap—stolen identities, drained accounts, collapsed digital lives—have never been more immediate.

  • AI-powered brute force attacks now crack an eight-character lowercase password in seconds, rendering the most common Chilean passwords—'123456,' 'qwerty,' 'contraseña'—effectively no protection at all.
  • The real danger is not a single breach but a cascade: one cracked password unlocks email, which unlocks banking, which unlocks identity—a single weak link collapses an entire digital life.
  • Millions of users continue building passwords from personal data like RUTs and birthdates, not realizing these are precisely the first combinations automated attackers will try.
  • Security experts are urging an urgent shift to passphrases—long, memorable combinations of words, numbers, and symbols—because length exponentially multiplies the combinations a machine must test.
  • The window for complacency has closed: anyone whose password appears on this year's list is advised to change it immediately, across every account where it has been reused.

Every May, cybersecurity researchers publish their annual list of the world's most common passwords, and every year the results confirm the same uncomfortable truth: human beings are stubbornly predictable. The 2026 ranking, released on May 6th, is no different. "123456" remains the most popular password globally and in Chile. "Qwerty," "admin," "bienvenido," and "contraseña" fill out the list alongside passwords built from personal data—a Chilean RUT without punctuation, a birthday, a pet's name. Each one is a door left unlocked.

What makes this year's ranking genuinely alarming is not the passwords themselves, but the technology now used to crack them. Artificial intelligence has transformed brute force attacks—the method of testing every possible combination—into something approaching instantaneous. An eight-character password composed of lowercase letters can now be broken in seconds. The machine does not tire, does not guess intelligently; it simply tries everything, faster than any human could conceive.

The risk compounds when you consider how most people actually behave online. The same password protects a bank account, an email inbox, and social media. When one falls, they all fall. A hacker who cracks your email doesn't just read your messages—they access password recovery links for every account you own, reset your banking credentials, and can drain or impersonate you entirely.

Security experts have long recommended passphrases as the antidote. "Santiago2026" looks secure but is immediately predictable—attackers try city names and years first. "MeGustaElPanConPalta22#" is long, combines words unusually, includes numbers and a symbol, and is something a person can actually remember because it carries personal meaning. A machine attempting to crack it through brute force would require years. Length is the primary defense: each additional character exponentially multiplies possible combinations, and the human brain—which forgets random strings but remembers sentences—is naturally suited to this approach.

The recommendation for anyone reading this is clear: if your password appears on this year's list, change it today. If you reuse passwords across accounts, change all of them. The tools available to attackers have evolved. The window for complacency has closed.

Every May, the same ritual repeats: security researchers publish their annual list of the world's most commonly used passwords, and every year, the results read like a greatest hits of human predictability. This year is no different. On May 6th, 2026, the latest ranking arrived, and it confirmed what cybersecurity experts have been saying for a decade: we are still, stubbornly, using passwords that might as well be written on a Post-it note stuck to our monitors.

The usual suspects dominate the list. "123456" remains the most popular password globally and in Chile. "Password" itself—the word, unadorned—still secures countless accounts. "Qwerty," the lazy diagonal across a keyboard's top row, continues to rank among the worst offenders. Alongside these are the variations that feel clever to their creators but are the first combinations any attacker will try: sequences like "123456789," strings of zeros, the Spanish word "contraseña," the word "admin," even "bienvenido." Then there are the passwords built from personal data—a Chilean RUT without punctuation, a birthday, a pet's name. Each one is a door left unlocked.

What makes this year's ranking genuinely dangerous is not the passwords themselves, but the tools now available to crack them. In 2026, brute force attacks—the method of trying every possible combination until one works—are no longer the slow, methodical process they once were. Artificial intelligence has transformed password cracking into something approaching instantaneous. An eight-character password composed entirely of lowercase letters can now be broken in seconds. The machine doesn't get tired. It doesn't give up. It doesn't need to guess intelligently; it simply tries everything, faster than any human could conceive.

The risk multiplies when you consider how most people actually behave online. A person uses the same password for their bank account, their email, their social media. When one account falls, they all fall. A hacker who cracks your email password doesn't just gain access to your messages—they gain access to password recovery links for every other account you own. They can reset your banking credentials. They can impersonate you. They can drain your accounts or steal your identity. The breach of a single weak password becomes a total compromise of your digital life.

Security experts have spent years recommending a different approach: passphrases instead of passwords. The idea is simple but effective. Instead of trying to remember a random string of characters, you create a sentence or phrase that is meaningful to you but meaningless to anyone else. The example given is instructive: "Santiago2026" looks secure at first glance—it has a place name, a number, capital letters. But it is predictable. Someone attacking your account will try city names and years immediately. By contrast, "MeGustaElPanConPalta22#" is long, it combines words in an unusual way, it includes numbers and a symbol, and it is something you can actually remember because it means something to you. A machine trying to crack it through brute force would need to test billions of combinations. The time required would stretch into years.

The mechanics of this approach are what make it work. Length is the primary defense against machine attacks. Each additional character exponentially increases the number of possible combinations. A phrase of twenty characters, even if it uses only common words, becomes vastly harder to crack than an eight-character string of random symbols. The human brain, meanwhile, is excellent at remembering phrases and stories. We forget random strings. We remember sentences. This is why the passphrase method works: it aligns security with human psychology rather than fighting against it.

For anyone reading this on a Thursday morning, the recommendation is clear and urgent: if your password appears on this year's list, change it today. If you use the same password across multiple accounts, change all of them. If you are still using passwords built from personal information or simple sequences, stop. The tools available to attackers have evolved. Your defenses need to evolve with them. The window for complacency has closed.

A machine trying to crack a strong passphrase through brute force would need to test billions of combinations, with the time required stretching into years.
— Cybersecurity experts cited in the report
La Conversación del Hearth Otra perspectiva de la historia
Inventor

Why does it matter that these same passwords keep appearing year after year? Isn't the list just a reflection of what people choose?

Model

It matters because the list is a map of vulnerability. When millions of people use "123456," attackers don't have to guess—they know exactly where to start. They test that password first across thousands of accounts. It's not random failure; it's systematic exploitation.

Inventor

But surely people know these passwords are weak. Why do they keep using them?

Model

Because weak passwords are easy to remember, and most people don't feel the immediate consequence of being hacked until it happens. The risk feels abstract. A strong passphrase feels like work. Until your bank account is emptied, the old password feels fine.

Inventor

You mentioned AI makes this worse now. How much worse are we talking?

Model

The difference is the speed. Five years ago, cracking an eight-character password took hours or days. Now it takes seconds. The machine doesn't get tired or bored. It just runs through every combination. That changes the entire calculus of what's safe.

Inventor

So the passphrase method—is that actually uncrackable, or just slower?

Model

It's not uncrackable. Nothing is. But a twenty-character passphrase would take a machine years to crack through brute force alone. By then, you've changed it, or the attacker has moved on to easier targets. Security isn't about being impossible to break. It's about being harder to break than the next person's account.

Inventor

What happens to someone whose password gets cracked?

Model

If they've reused it across accounts—which most people do—the attacker gets everything. Email, banking, social media. They can reset other passwords using the email account. They can impersonate you. One weak password becomes a total collapse of your digital security.

Quieres la nota completa? Lee el original en El Mostrador ↗
Contáctanos FAQ