via Ernestas Naprys and CyberNews

A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component.

Several high-profile incidents over the last year, including Snowflake breaches, the SOCRadar.io leak, and others, have poured billions of passwords and other data into cybercriminals’ hands.

The Cybernews research team conducted a comprehensive study on recently leaked credentials to examine the 2025 password creation trends.

“We’re facing a widespread epidemic of weak password reuse. Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication—if it’s even enabled,” said Neringa Macijauskaitė, information security researcher at Cybernews.

Despite ongoing efforts to educate users about password security, there is no progress over the decades, highlighting the need to accelerate the adoption of more secure authentication methods.

Key Takeaways

• Most people use 8–10 character passwords (42%), with eight being the most popular.
• Almost a third (27%) of the passwords analyzed consist of only lowercase letters and digits.
• Passwords composed of profane or offensive words might seem rare, but they’re actually very common in practice.
• Despite years of being called out, default and “lazy” passwords like “password”, “admin”, and “123456” are still a common pattern.

Methodology

The analyzed dataset contains exposed credentials from leaks or breaches that happened in a 12 month period starting with April 2024.

The data included leaked databases, combolists, and stealer logs originating from around 200 cybersecurity incidents. Only data that became publicly available was analyzed.

The leaks exposed a total of 19,030,305,929 passwords. Only 1,143,815,266 (6%) of passwords were identified as unique.

The data was carefully filtered and anonymized to ensure no personal or identifiable information was used during the processing. Cybernews deleted all the data and retains no copies.

To analyze the password data, we used a combination of OSINT (open source intelligence), CTI (cyber threat intelligence), and technical automation. Our custom wordlists divided password components into categories. Custom bash and Python scripts were used along with publicly available tools to assess critical details such as password length, character composition, and the use of special characters, digits, and uppercase letters.

The researchers note that cybercriminals can obtain additional information that comes with the exposed passwords, like email addresses and other personal data. Only data sources with email addresses were used for the analysis. Neither the RockYou24 password collection nor any other word-lists were included as the source data.

The original leaks contained over 3TB of data and were loaded with information that could be used to steal accounts or impersonate affected people in identity theft attacks. The analysed dataset contained 213 GB, or 19,030,305,929 passwords, with 1,143,815,266 of them being unique.

Credential-stuffing goldmine

It’s no surprise that you’ll find “1234” in almost 4% of all passwords – over 727 million passwords use this sequence. Extending it by two additional numbers, to “123456,” leaves 338 million passwords using it. “Password” and “123456” have been the most popular passwords at least since 2011.

“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets. Entries ‘password’ (56M) and ‘admin’ (53M) reveal that users overwhelmingly rely on simple, predictable defaults,” Macijauskaitė said. “Attackers, too, prioritize them, making these passwords among the least secure.”

Many systems originally provide these defaults, such as routers with “admin/admin” or phones with 1234 PINs. Users either never change them or even recycle these passwords elsewhere themselves.

To better understand the composition of passwords, researchers developed custom wordlists covering diverse themes.

People’s names were the second most prevalent component.

“Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,” the researcher explains.

Ana was the most popular, used in almost 1%, or 178.8M passwords. This short component naturally appears in many other common words, such as “banana” (used in 3.7M passwords).

Many users opt for passwords inspired by positive, uplifting concepts. Words like love (87M), sun (34M), dream (6.1M), joy (6.9M), and freedom (2M) dominate the positive wordlist​.

Some of the most frequently used pop culture terms in passwords include Mario (9.6M), Joker (3.1M), Batman (3.9M), Thor (6.2M), and, surprisingly, Elsa (2.9M) from Disney’s “Frozen”.

“Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers,” the researcher explains.

Swear words are also very common in passwords. The top entry, ass (165M), can be partly explained by the use of “pass” or “password.” However, users often craft their passwords using fuck (16M), shit (6.5M), dick (3.2M), and bitch (3.2M).

“Passwords built from profane or offensive words might seem rare, but they’re actually very common in practice,” Macijauskaitė said. “Passwords containing profanity often originate from attempts at personalization or memorability. However, such terms are prevalent in attacker wordlists and pose a substantial risk to account security.”

Other top-most frequently used words in passwords include countries, cities, US states, food, popular brands, nature, animals, or even seasons or months.

The most popular city for passwords is Rome (13M), while 9.8M passwords include lion and 7.8M – fox. Summer (3.8M) is the most popular season, and users seem to prefer Monday (0.8M) the most to protect their accounts.

May (28M) appears in lots of passwords but also in many other words used to create passwords. The second most popular month was April (5.2M).

Pizza (3.3M) wasn’t the most popular food guard. Over 36M passwords included tea, 10.7M – apple, 4.9M – rice, 3.6M – orange.

https://e.infogram.com/3a7872f2-239d-4f62-b87a-28cce6a97c0f?parent_url=https%3A%2F%2Fcybernews.com%2Fsecurity%2Fpassword-leak-study-unveils-2025-trends-reused-and-lazy%2F&src=embed#async_embed

Google holds the door for 25.9M accounts, followed by Facebook (18.7M), and Kia (12.7M).

Many believe that hackers will be repelled by boss (10M), hunter (6.6M), cook (4.2M) and other professions. Soccer (4M) is a more popular account safeguard than football (3.4M).

Carolina (1.9M), Dakota (1.2M), and Texas (1.1M) are the three most popular US states that will not keep hackers away.

Almost 24M users believe “god” will make their password secure, and 20M rely on “hell”.

Short and lowercase – a common pattern

Most people use 8–10 character passwords (42%), eight-character passwords were the most popular. The length distribution is as follows. Many systems do not allow the use of passwords shorter than 8 characters.

“Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize. It’s recommended to use at least 12 characters for a password,” the researcher explains.

The analysis also unveils that one-third (27%) of the passwords consisted of only lowercase letters and digits, a structure that significantly increases vulnerability to brute-force and dictionary attacks. Additionally, almost 20% of unique passwords mixed case letters and numbers, but had no special characters.

“Such password choices make users an easy mark for brute-force attacks. However, our analysis also reveals a notable positive shift in password complexity,” Macijauskaitė noted.

“According to our weakest password research done in 2022, only 1% of passwords used a mix of lowercase, uppercase, numbers, and symbols. Now that figure has climbed to 19%, reflecting the impact of stricter platform requirements and a slow but measurable improvement in user behavior.”

Weak passwords lead to security breaches

Breaking passwords down to components mirrors the methods used by cybercriminals and renders relevant insights into the weaknesses of password creation. The unfortunate reality is that passwords are both weak and reused multiple times.

“Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly. These fresh datasets enable waves of highly effective credential-stuffing attacks, often bypassing traditional security defenses,” Macijauskaitė warns.

The exceptionally high percentage of repeated passwords in the research could be attributed to some leaked sources containing duplicate entries, but only partly.

“The prevalence of weak, reused, and simple passwords across platforms significantly increases the risk of cyberattacks,” she added. “If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect. Even without any compromise, hackers can exploit common password patterns.”

Attackers are using automated tools to test vast volumes of leaked usernames and passwords across multiple platforms. While these attacks may seem inefficient, a success rate between 0.2% and 2.0% makes them highly profitable. Hackers test millions of credentials, and that yields thousands of compromised accounts.

According to Enzoic, weak passwords were responsible for 30% of ransomware infections in 2019, and the problem has remained pervasive in recent years.

“If attackers gain access, they often don’t need any additional technical skills or system vulnerabilities to do harm. They can quickly escalate privileges and even deploy ransomware, resulting in operational disruption and financial loss,” Macijauskaitė explains.

“For organizations, the widespread use of insecure passwords represents a serious threat. Each reused or weak password represents a potential entry point for attackers to launch credential stuffing, lateral movement, and ransomware deployment, underscoring the need for improved password hygiene and proactive monitoring.”

How to create strong passwords?

To reduce the risks identified in the study and improve overall password security, the Cybernews research team recommends the following measures:

• Use password managers. They create and store unique, strong passwords for every service, reducing the temptation to reuse passwords across different platforms.
• Never reuse passwords. Make sure your password is at least 12 characters long, includes uppercase, lowercase letters, numbers, and at least one special symbol. Skip any words, names, sequences, or other recognizable strings.
• Enable multi-factor authentication (MFA) wherever possible. MFA provides an extra layer of security, reducing the risk of unauthorized access even if passwords are compromised.
• Organizations should enforce password policies that require passwords to be at least 12 characters long, ideally 16, incorporating a mix of uppercase and lowercase letters, numbers, and special characters. Complexity beats length.
• Organizations should ensure that adequate data hashing algorithms and configurations are implemented while continuously reviewing existing security standards revolving around data transit and storage.
• Review access controls regularly and perform regular security audits. This leads to a better security posture of a company and lowers the risk of its users’ personal data being leaked.
• Monitor and react to credential leaks. Organizations should adopt tools and platforms that can detect leaked credentials in real time, allowing them to instantly block access or require resets for affected accounts.

The goal of this research is to understand the behaviors, trends, and patterns behind leaked passwords to predict credential-stuffing defense vectors through the provision of actionable insights for users and organisations alike.