According to a comprehensive cybersecurity investigation, 94% of the more than 19 billion passwords were compromised. They are in use on the dark web, and they are replicated or reused across several accounts, making users susceptible to common credential-based attacks.
Cybernews cybersecurity researchers collated the data, which shows a growing plague of poor password practices and users’ continued reliance on predictable patterns.
The investigation revealed 19,030,305,929 actual passwords from more than 200 significant data breaches that occurred between April 2024 and April 2025.
Out of 19 billion passwords, only 6% of the compromised passwords were unique, even after decades of public awareness initiatives. Strings like “123456” and “password” are still very common; the former appears on 338 million occasions.
Furthermore, more than 56 million contained the word “password,” and more than 53 million contained the word “admin.”
According to Neringa MacijauskaitÄ—, who is an information security researcher at Cybernews:
“Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize. It’s recommended to use at least 12 characters for a password.”
Additionally, the study found that 27% of passwords exclusively used lowercase letters and numbers, and 42% of passwords were just 8–10 characters long.
Although just 1% of passwords in 2022 combined capital and lowercase characters, digits, and symbols, the percentage increased to 19% in the most recent data, which is still far below what security experts consider to be appropriate.
Researchers noticed that places, seasonal phrases, popularly used names, and even profanity appeared frequently. The word “ana” appeared in around 179 million passwords, whereas the term “ass” appeared 165 million times, frequently as part of larger strings like “password.” With “Batman,” “Mario,” “Thor,” and “Joker” all appearing millions of times combined, pop culture allusions were also common.
According to the paper, hackers may easily implement credential stuffing attacks, which include testing stolen usernames and passwords across several accounts, because of these predictable patterns. When billions of credentials are at stake, even a 0.2% success rate can endanger thousands of accounts.
Paul Walsh, CEO of cybersecurity firm MetaCert, underlined that SMS phishing is a growing, under-addressed attack vector exacerbating the issue.
Additionally, Walsh told Forbes that, according to a test conducted in March by major U.S. cell operators, “Every phishing message was still delivered. None were blocked, flagged, or rewritten.”
He continued:
“Criminals have already moved in full force, and the industry is failing to respond. The cybersecurity industry has no shortage of experts in email security… but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise.”
Users are advised by researchers to utilize password managers, turn on multi-factor authentication, and refrain from using the same password for several accounts. It is recommended that organizations implement real-time credential leak detection technologies and audit their access systems.
As MacijauskaitÄ— put it,
“We’re facing a widespread epidemic of weak password reuse… a breach in one system can compromise the security of other accounts.”
Loading ...
