In one of the biggest digital security shocks ever, cybersecurity researchers have revealed that over 19 billion passwords are now circulating online and only 6% of them are actually unique! According to a massive study by Cybernews, over 200 data breaches took place between April 2024 and April 2025, leading to a mind-blowing 19,030,305,929 real passwords being leaked online. Even more alarming 94% of these passwords were reused, either by the same person or across different users and platforms.
What’s worse? Most of these passwords are incredibly easy for hackers to crack. The analysis shows that 42% of passwords are only 8–10 characters long, and 27% use only lowercase letters and numbers, no special characters, no upper-case letters and absolutely no strength.
Neringa Macijauskaitė said, an information security researcher at Cybernews.
“Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize. It’s recommended to use at least 12 characters for a password,”
Most Common Passwords Are Still Weak and Reused, Are You Making the Same Mistake?
The study highlights that people continue to use default, lazy, and guessable passwords. For example:
- 1234 was used in 4% of all passwords that’s 727 million passwords!
- 123456 appears in 338 million passwords.
- The word Password was used in 56 million passwords.
- Admin showed up in 53 million.
- These two passwords and 123456 have topped the worst password list since at least 2011.
Macijauskaitė said,
“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets. Attackers, too, prioritize them, making these passwords among the least secure.”
Cybersecurity experts are urging users not to reuse passwords across different websites or services. Doing so can lead to a dangerous chain reaction. We’re facing a widespread epidemic of weak password reuse.
Macijauskaitė explained
“If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect. Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly.”
And it’s not just numbers or basic words. Many passwords are based on people’s names, with “Ana” being the most common found in 178.8 million passwords! When researchers compared the data with the 100 most popular names of 2025, they found that there’s an 8% chance that a name is used in a password.
Even swear words are common in leaked passwords. For instance:
- The F-word appeared in 16 million passwords.
- “Ass” was found 165 million times (mostly in words like password or pass).
Many users also pick passwords based on positive themes or pop culture references, thinking they’re easy to remember. But that’s exactly why they’re easy to hack. Macijauskaitė said,
“Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers,”
J
This is why I use a physical passkey whenever possible and 2FA everything else.
Hefeydd
The problem here is that the lazy people are those who can’t be bothered to create a strong password because their muscle memory for strong passwords is non-existent. These people are a security issue to themselves, and these ar3 5he papope who have a screen lock of 123456 or 223478. Or even worse, 000000 these people are @ danger to themselves.