Your password might be hacker bait.
Cybersecurity researchers have found that 19 billion passwords are circulating on-line — and solely 6% of those leaked passwords had been distinctive, which means they weren’t reused or duplicated.
Researchers at Cybernews studied greater than 200 information breaches that occurred between April 2024 and April 2025.
Of the 19,030,305,929 actual passwords uncovered on-line, 94% had been reused throughout accounts and providers, both by the identical particular person or by completely different customers fully.
And the commonest passwords had been all too simple for hackers to decode: 42% had been solely 8-10 characters in size, and 27% contained solely lowercase letters and numbers with no particular characters or mixed-case variation.
“Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize. It’s recommended to use at least 12 characters for a password,” Neringa Macijauskaitė, info safety researcher at Cybernews, mentioned in a press release.
One of many main points is that many individuals keep on with “default” passwords and lazy, easy keyboard mixtures.
The evaluation discovered that “1234” is utilized in virtually 4% of all passwords, which means over 727 million passwords use this sequence. When increasing that sequence to “123456,” 338 million passwords use it.
The analysis additionally revealed that 56 million passwords use the phrase “Password” and 53 million use “admin.” Since at the very least 2011, “Password” and “123456” have been the most well-liked passwords.
“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets,” Macijauskaitė mentioned. “Attackers, too, prioritize them, making these passwords among the least secure.”
The cybersecurity consultants additionally suggest to by no means reuse passwords throughout completely different accounts and websites with a purpose to maintain your info secure.
“We’re facing a widespread epidemic of weak password reuse,” Macijauskaitė defined.
“If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect,” the researcher warned. “Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly.”
Researchers additionally found that many compromised passwords relied closely on names, and Ana was the most well-liked password identify used, showing in 178.8 million passwords.
“Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,” the researcher explains.
Even curse phrases had been generally utilized in passwords. For instance, 16 million passwords included the F-word. The highest entry, “ass,” was discovered 165 million occasions — however that may partly be defined by way of use of “pass” or “password.”
Many additionally select passwords impressed by optimistic ideas or popular culture phrases. “Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers,” Macijauskaitė defined.
To create sturdy passwords and enhance total safety, the consultants counsel taking the next measures:
- Use password managers to create and retailer distinctive, sturdy passwords for each service.
- By no means reuse passwords.
- Make sure that your password is at the very least 12 characters lengthy and contains uppercase letters, lowercase letters, numbers and at the very least one particular image. Skip phrases, names, sequences or different recognizable strings. “Complexity beats length.”
- Allow multi-factor authentication when doable.
- Assessment entry controls recurrently and carry out common safety audits.
- Monitor and react to credential leaks.
- For organizations, implement insurance policies that require passwords to be at the very least 12 characters lengthy — ideally 16 — utilizing a mixture of uppercase and lowercase letters, numbers and particular characters.
