ADVERTISEMENT

19 billion leaked passwords reveal deepening crisis: lazy, reused, and stolen

A new study of over 19 billion newly exposed passwords manifests a widespread weak password reuse crisis. Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component.

Leaked passwords are weak, short and reused.

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Apr 30, 2025 Updated: 13 May 2025 7 min read

Key Takeaways

  • Most people use 8–10 character passwords (42%), with eight being the most popular.
  • Almost a third (27%) of the passwords analyzed consist of only lowercase letters and digits.
  • Passwords composed of profane or offensive words might seem rare, but they're actually very common in practice.
  • Despite years of being called out, default and “lazy” passwords like “password”, “admin”, and “123456” are still a common pattern.

Methodology

Credential-stuffing goldmine

ass-pass-password
ADVERTISEMENT

Short and lowercase – a common pattern

password length distribution
Image by Cybernews.
password composition breakdown
Image by Cybernews.

Weak passwords lead to security breaches

justinasv Marcus Walsh profile Konstancija Gasaityte profile Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.

How to create strong passwords?

  • Use password managers.They create and store unique, strong passwords for every service, reducing the temptation to reuse passwords across different platforms.
  • Never reuse passwords. Make sure your password is at least 12 characters long, includes uppercase, lowercase letters, numbers, and at least one special symbol. Skip any words, names, sequences, or other recognizable strings.
  • Enable multi-factor authentication (MFA) wherever possible. MFA provides an extra layer of security, reducing the risk of unauthorized access even if passwords are compromised.
  • Organizations should enforce password policies that require passwords to be at least 12 characters long, ideally 16, incorporating a mix of uppercase and lowercase letters, numbers, and special characters. Complexity beats length.
  • Organizations should ensure that adequate data hashing algorithms and configurations are implemented while continuously reviewing existing security standards revolving around data transit and storage.
  • Review access controls regularly and perform regular security audits. This leads to a better security posture of a company and lowers the risk of its users’ personal data being leaked.
  • Monitor and react to credential leaks. Organizations should adopt tools and platforms that can detect leaked credentials in real time, allowing them to instantly block access or require resets for affected accounts.
ADVERTISEMENT