Passwords are becoming easier targets for hackers.
Recent findings show that around 19 billion passwords are now available online, with only about 6% being unique—so, they aren’t reused or duplicated.
Researchers from CyberNews observed over 200 data breaches from April 2024 to April 2025.
Out of approximately 19 billion passwords found, a staggering 94% were reused across various accounts, either by the same user or different individuals.
Many of these passwords were alarmingly simple for hackers to crack. For instance, 42% had only 8 to 10 characters, and 27% comprised solely lowercase letters and numbers—no special characters or mixed-case letters.
“After years of education on security, users still tend to favor shorter passwords for their simplicity,” remarked Neringa Macijauskait, an information security researcher from CyberNews. “We suggest that a password should be at least 12 characters long.”
One critical challenge is that many people rely on predictable ‘default’ passwords or choose overly simplistic combinations.
Interestingly, “1234” is present in nearly 4% of all passwords, translating to more than 727 million uses. Extending that to “123456” raises the count to 338 million.
The study also found that 56 million passwords included terms like “password” and “admin.” Such weak passwords have persisted as favorites since at least 2011.
“The problem with using ‘default passwords’ remains a persistent threat,” Macijauskait stated. “Attackers often target these, making them less secure.”
Experts advise against reusing passwords across different platforms to safeguard personal information.
“We’re seeing a troubling trend of weak password reuse,” Macijauskait added.
“If one account is compromised, it could jeopardize the security of other accounts. Attackers continuously collect leaked passwords and often make them publicly accessible,” researchers noted.
Moreover, many compromised passwords tend to revolve around names, with ANA appearing in 178.8 million passwords alone.
“Many individuals incorporate names into their passwords. The study highlights an 8% chance that popular names might be part of a password,” researchers explained.
Interestingly, vulgar terms also show up frequently. For instance, around 16 million passwords included profanity, with the word “Ass” appearing 165 million times, partly due to variations like “password.”
Additionally, many opt for passwords inspired by positive themes or pop culture. “This tendency might evoke familiarity, but it also makes passwords predictable and easier targets,” Macijauskait explained.
To enhance password strength and overall security, experts recommend the following:
- Utilize a password manager to generate and store strong, unique passwords for each service.
- Avoid reusing passwords.
- Ensure passwords are at least 12 characters long and include a mix of special symbols, uppercase and lowercase letters, numbers, and avoid using recognizable words or patterns.
- Activate multifactor authentication wherever possible.
- Regularly review access controls and conduct security audits.
- Stay vigilant against any credential leaks.
- For organizations, enforce policies that require a mix of character types, aiming for passwords with at least 12 to ideally 16 characters.
