A study of over 19 billion exposed passwords has revealed that only 6 percent of the leaked passwords were unique. The vast majority, 94 percent, were reused or duplicated, making them prime targets for cybercriminals.
Common keyboard patterns and easily guessed strings remain prevalent. The “123456” sequence still dominates, appearing in 338 million passwords, according to the Cybernews study.
Why It Matters
The scale of password breaches and the continued reliance on weak passwords have heightened concerns about “credential stuffing,” a tactic in which attackers use automated tools to test stolen credentials across multiple platforms.
Even breach success rates between 0.2 percent and 2 percent can still yield thousands of compromised accounts, according to Cybernews.
The most common password length is eight to 10 characters, and a significant portion contains only lowercase letters and digits, making passwords vulnerable to brute-force attacks.
Compared to just 1 percent in 2022, 19 percent of passwords now mix uppercase, lowercase, numbers, and symbols.
Getty Images
What To Know
The dataset analyzed included 19,030,305,929 passwords sourced from 200 cybersecurity incidents. These came from leaked databases, stealer logs, and combolists.
Paul Walsh, CEO of MetaCert, has emphasized another growing risk vector: phishing attacks targeting phones. He has urged cybersecurity companies to tackle SMS phishing with the same intensity as email security to help mitigate password leaks and breaches.
In an article published on Monday, Walsh told Forbes that MetaCert’s latest national SMS phishing test, carried out in March and including carriers such as AT&T, Verizon, T-Mobile and Boost Mobile, was concerning.
“Every phishing message was still delivered,” Walsh said. “None were blocked, flagged, or rewritten.”
Walsh has written an open letter to the cybersecurity industry asking why the SMS phishing problem wasn’t solved long ago.
What Are the Most Common Passwords?
Predictable patterns continue to dominate password choices. “123456” alone appears in 338 million of the passwords in the Cybernews study, while “password” and “admin” were used over 100 million times combined.
Users also often rely on names, with “Ana” appearing in 178.8 million instances. Positive words like “love,” “freedom,” and pop culture references such as “Batman” are also prevalent. Profanity, surprisingly, is common as well; “ass” alone shows up in 165 million passwords.
Some of the most frequently used pop culture terms in passwords included “Mario” (9.6 million), “Joker” (3.1 million), “Batman” (3.9 million), and “Thor” (6.2 million).
Additionally, seasonal words, food items, and cities frequently feature in password choices, leaving accounts vulnerable to attackers who exploit such predictability. Over 10 million of the passwords featured “apple,” 4.9 million “rice,” and 3.6 million “orange,” while 3.3 million opted for “pizza.”
The most popular city for passwords was “Rome” (13 million), while “summer” (3.8 million) was the most popular season.
What People Are Saying
Neringa MacijauskaitÄ—, information security researcher at Cybernews: “We’re facing a widespread epidemic of weak password reuse. If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts.”
MetaCert CEO Paul Walsh told Forbes: “Criminals have already moved in full force, and the industry is failing to respond.”
“The cybersecurity industry has no shortage of experts in email security, endpoint protection, or network defense, but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise.”
What Happens Next
Researchers have urged individuals and organizations to boost password security by using password managers, enforcing minimum length and complexity standards, and enabling multi-factor authentication. Organizations are advised to regularly audit access controls, monitor for credential leaks, and adopt real-time detection solutions.
link