Geslar
50 most common Croatian passwords
Passwords from publicly available breach databases. If yours is on the list — change it immediately.
Where does this data come from?
Every year, security researchers analyze billions of compromised passwords from publicly available breach databases. This list is based on an analysis of passwords from Croatian domains (.hr) and services popular in Croatia, published in databases such as HaveIBeenPwned.
These aren't fictional passwords — these are real passwords from real Croatian users that leaked in hacking attacks. Each of them is in the dictionaries that attackers use for credential stuffing attacks.
These aren't fictional passwords — these are real passwords from real Croatian users that leaked in hacking attacks. Each of them is in the dictionaries that attackers use for credential stuffing attacks.
Important: If you recognize your password on this list, change it IMMEDIATELY on all services where you use it. Use a password manager to generate unique, strong passwords.
Top 25 — the worst of the worst
| # | Password | Time to crack |
|---|---|---|
| 1 | 123456 | < 1 second |
| 2 | lozinka | < 1 second |
| 3 | 123456789 | < 1 second |
| 4 | croatia | < 1 second |
| 5 | dinamo | < 1 second |
| 6 | hajduk | < 1 second |
| 7 | password | < 1 second |
| 8 | hrvatska | < 1 second |
| 9 | qwerty | < 1 second |
| 10 | 12345678 | < 1 second |
| 11 | zagreb | < 1 second |
| 12 | iloveyou | < 1 second |
| 13 | marko123 | < 1 second |
| 14 | 111111 | < 1 second |
| 15 | dragon | < 1 second |
| 16 | ana123 | < 1 second |
| 17 | split | < 1 second |
| 18 | ivan123 | < 1 second |
| 19 | abc123 | < 1 second |
| 20 | master | < 1 second |
| 21 | dalmatina | 2 seconds |
| 22 | maja2000 | 3 seconds |
| 23 | ljubav | < 1 second |
| 24 | sunce | < 1 second |
| 25 | 000000 | < 1 second |
Positions 26-50
| # | Password | Time to crack |
|---|---|---|
| 26 | admin | < 1 second |
| 27 | welcome | < 1 second |
| 28 | rijeka | < 1 second |
| 29 | monkey | < 1 second |
| 30 | tomislav | 2 seconds |
| 31 | letmein | < 1 second |
| 32 | adriatic | 2 seconds |
| 33 | 1234 | < 1 second |
| 34 | football | < 1 second |
| 35 | mate1990 | 5 seconds |
| 36 | qwerty123 | < 1 second |
| 37 | josip | < 1 second |
| 38 | nikola | < 1 second |
| 39 | marina | < 1 second |
| 40 | osijek | < 1 second |
| 41 | majka123 | 2 seconds |
| 42 | tesla | < 1 second |
| 43 | corvette | 2 seconds |
| 44 | vatreni | < 1 second |
| 45 | plitvice | 3 seconds |
| 46 | dubrovnik | 3 seconds |
| 47 | soccer | < 1 second |
| 48 | modric | < 1 second |
| 49 | petar | < 1 second |
| 50 | sunshine | < 1 second |
Why do people choose passwords like these?
Personal information
Names (marko123, ana123, ivan123), cities (zagreb, split, rijeka), football clubs (dinamo, hajduk). Hackers try these first.
Keyboard walk
qwerty, 123456, abc123 — fingers just sliding across the keyboard. These are literally the first passwords that cracking tools try.
Emotions and pop culture
iloveyou, ljubav (love), sunce (sun), dragon, vatreni (blazers) — emotional words and pop culture references are in every attack dictionary.
Name + year
maja2000, mate1990 — a combination of name and birth year. Hackers use name dictionaries combined with every year from 1950 to 2010.
What to do if your password is on the list?
1. Change it immediately
On EVERY service where you use that password. Not just one — credential stuffing attacks try the same password everywhere.
2. Use a password manager
Geslar generates a unique, strong password for every service. You only remember one master password — Geslar remembers all the rest.
3. Enable 2FA
Two-factor authentication is your safety net. Even if someone learns your password, without the second factor they can't access the account.
4. Check breach databases
Use the Geslar security check to check your password and email. Find out which data breaches have affected you.
Replace your weak password with a strong one — right now, for free.