In an online world full of hackers, bots, and data breaches, it seems that many of us are still handling passwords like casual acquaintances, which are forgettable, predictable, and recycled far too frequently. A new Cybernews study analyzing more than 19 billion leaked passwords has found a disturbing trend, just 6% of those passwords were unique, the remaining 94% were repeated or reused. This led to catastrophes that could’ve been prevented beforehand. If passwords are the passwords to our virtual existence, then perhaps we should avoid leaving them at the doormat.

The enormous size of reused passwords has made credential stuffing more of a concern, a practice whereby hackers utilize stolen credentials in bulk to access various services. Despite success rates as low as 0.2%, attackers are able to hijack thousands of accounts, particularly when they have automated tools supporting them. Cybernews researchers add that the majority of passwords tend to be within the 8 to 10 character range and consist of combinations of lowercase characters and numbers that are easy, making them particularly susceptible to brute-force attacks.

Common Passwords

The most frequently used passwords indicate a weird trend. In addition to “123456,” other passwords such as “password” and “admin” each were used tens of millions of times. Names like “Ana” were used 178.8 million times, and words like “love,” “freedom,” and pop culture references like “Batman,” “Mario,” and “Thor” were also prevalent. Even obscene words are often selected as options, with the term “ass” used 165 million times. The analysis also showed frequent use of holiday words, foods, and names of cities, all of which provide hackers with more entry points. More than 10 million passwords included the term “apple,” while “rice” and “orange” were used in millions of others. “Rome” was the most common city at 13 million uses, and “summer” topped seasonal words with 3.8 million uses.

History of Password Leaks and Their Impact

RockYou2021 (2021)

In June 2021, 8.4 billion password dump called RockYou 2021 was leaked on a hackers forum. The data wasn’t from a single incident but merged passwords from multiple older breaches into one large file. This made it much more dangerous to use credential stuffing, in which attackers attempt stolen passwords across websites. In response, cybersecurity professionals urged wider deployment of multi-factor authentication (MFA), more general use of password managers, and compliance with refreshed NIST standards that called for strong, individual passwords.

COMB (2021)

The “Compilation of Many Breaches” (COMB) leaked early in 2021 revealed more than 3.2 billion email-password pairs, gathered from several previous breaches on businesses such as Netflix and LinkedIn. The highly structured nature of the data facilitated easier automation of phishing and credential stuffing attacks by attackers. The attack led to tighter enforcement of breach notification regulations under models such as GDPR and California’s CCPA, in addition to greater focus on cybersecurity training as well as tighter company policies for data protection.

Yahoo Breach (2013–14)

Yahoo suffered one of the most catastrophic single-organization hacks in history, impacting all 3 billion of its user accounts. The hacked information included hashed passwords, security questions, and backup emails. Revealed in 2016, the hack hurt Yahoo’s reputation and lowered its acquisition value in the Verizon transaction. Subsequent to this, Yahoo enforced compulsory password resets, transitioned to more robust encryption protocols, and was quoted in demands for better corporate breach notices by the U.S Securities and Exchange Commission (SEC).

With the number of leaked credentials rising every day, experts caution that it’s no longer a choice to be complacent about password security. It’s time to break loose of lazy password practices and embrace secure ones as a habit, not an afterthought. Cybersecurity is no longer just a responsibility of the IT sector, it’s everybody’s business now.