We Tested 100 Pet Names Against 12 Billion Breached Passwords. Here's What We Found.
Everyone quotes the same survey when writing about pet name passwords: a 2022 Aura survey (conducted by The Harris Poll among 2,082 adults) that found 39% of American pet owners have used their pet's name in a password. Useful number. But it tells you nothing about which names are the riskiest, or how the specific patterns people use hold up against real breach data.
So we tested it. We took 100 popular pet names, generated 12 common variations of each (1,200 password strings total), and looked up every single one in the Have I Been Pwned database. That database contains over 12 billion breached passwords from real-world leaks.
The results surprised us in several ways.
The Top 20 Most Breached Pet Names
We summed the breach appearances across all 12 variations for each name. Here is how the top 20 stack up. The chart shows total appearances across breach databases.
Finding 1: Charlie beats Bella. And Luna is not even in the top 20.
The biggest surprise in the data. Charlie leads with 3.6 million total breach appearances, followed by Shadow at 3.4 million. Despite Luna being the #1 pet name in the US right now for both dogs and cats, it does not appear in the top 20. This is because Charlie doubles as a common human first name, and Shadow doubles as an everyday English word, which inflates their presence in breach datasets from non-pet sources.
Lesson: Raw popularity as a pet name is not the same as danger as a password.
How People Actually Modify Their Pet Name Passwords
This is where the data gets interesting. We tested 12 common ways people modify a pet name when creating a password. Here is how often each pattern actually appears in breach data:
Finding 2: Adding a year is far less common than you think.
Every password advice article (including ours, earlier) warns against "name + current year" patterns like luna2025. But the data shows this pattern accounts for less than 0.2% of breach appearances. The current year and recent years combined (2024, 2025, 2026) total just 92,000 appearances, compared to 27 million for the name alone and 13.5 million for name+1.
This does not mean year suffixes are safe. It means people do not actually use them as often as security articles assume. The real risk is the bare name and simple digit append like charlie1.
The Top 15 Most Breached Pet Name Passwords
Moving from name totals to specific password strings, here are the 15 most breached pet-name-based passwords in the HIBP database:
| Rank | Password | Breach Appearances | Variation Type |
|---|---|---|---|
| 1 | shadow | 2,085,015 | lowercase |
| 2 | charlie | 1,909,656 | lowercase |
| 3 | maggie | 1,174,001 | lowercase |
| 4 | cookie | 1,135,206 | lowercase |
| 5 | charlie1 | 1,100,179 | name+1 |
| 6 | pepper | 1,097,328 | lowercase |
| 7 | sophie | 1,089,335 | lowercase |
| 8 | oliver | 1,035,857 | lowercase |
| 9 | ginger | 1,031,503 | lowercase |
| 10 | bailey | 945,600 | lowercase |
| 11 | angel1 | 870,705 | name+1 |
| 12 | peanut | 862,414 | lowercase |
| 13 | stella | 834,984 | lowercase |
| 14 | midnight | 701,544 | lowercase |
| 15 | angel | 694,153 | lowercase |
Finding 3: The bare name is by far the most common.
Of the top 15 most breached pet name passwords, 12 are just the lowercase name with no modifications at all. Most people do not even add 123 or capitalize the first letter. They use their pet's name verbatim.
If your password is a pet name in any form, it is almost certainly in this database.
The Year Problem: Current Year Passwords Age Fast
We also compared how breach data differs across year suffixes. Older years appear more because they have had more time to accumulate in breaches. But the rate of appearance tells you something about password longevity:
luna2024 appears nearly 3x more often than luna2025, which appears 2x more often than luna2026. Either people adopted the 2024 habit faster, or 2025 and 2026 passwords have not made it into breach datasets yet. Most likely both.
The Safer (But Still Not Safe) Names
Some names appeared relatively rarely in breach data. These are not "safe" passwords. They are just less common. A password still fails if an attacker tests it.
| Name | Breach Appearances (name alone) |
|---|---|
| Binx | 1,438 |
| Tofu | 3,159 |
| Mochi | 5,921 |
| Fido | 7,398 |
| Gus | 7,846 |
| Rex | 11,051 |
| Finn | 12,853 |
| Pixel | 14,800 |
| Hank | 15,324 |
| Zoey | 15,932 |
The trend: uncommon, modern, or food-themed names (Tofu, Mochi, Binx) score much lower than classic pet names. But even "safer" names still appear thousands of times. There is no truly safe pet name password.
How We Did the Study
Methodology
Names tested: 100 pet names sourced from 2025 rankings by the American Kennel Club, Rover, Newsweek, and TrustedHousesitters. Mix of 50 top dog names, 25 cat-specific names, and 25 trending food and pop culture names.
Variations per name: 12 patterns matching real-world attack rules used in Hashcat and John the Ripper: lowercase, capitalized, +1, +123, +Name123, +2024, +2025, +2026, +Name2024, +!, +Name!, +01.
Data source: Have I Been Pwned Pwned Passwords API, which contains over 12 billion passwords from known data breaches.
Privacy: We used the k-anonymity approach. Only the first 5 characters of each password's SHA-1 hash were sent to the API. No full passwords or full hashes left the test environment.
Sample size: 1,200 password queries total. All queries succeeded. Zero errors.
Date collected: April 2026.
What This Means for Your Password
If your password is based on your pet's name in any form, the odds that it appears in breach data are extremely high. Our data shows 95% of the names we tested appear in breaches at least 10,000 times.
The fix is not to stop using your pet's name. The fix is to stop using it the way everyone else does. That means: longer passwords (14+ characters), unrelated words combined with the name, symbols placed in unexpected positions, and not relying on common append patterns like 123 or a year.
For the full breakdown of which specific names are weak and why, see our analysis of common pet name passwords. For the patterns that do not work, see password patterns that do not work.
Test Your Password Against This Data
Want to see if your pet name password appears in breach data? Run it through the Pet Name Password Checker. It uses the same Have I Been Pwned API from this study, runs entirely in your browser, and stores nothing.