A new analysis of nearly 19 billion passwords leaked between 2024 and early 2025 shows that password security among users remains extremely poor. Researchers found that about 94 percent of the passwords in the dataset were either reused or duplicated across multiple accounts. Only around six percent were unique.
The study revealed that users continue to rely on simple patterns, short lengths, and predictable sequences. The most common passwords included “123456”, “123456789”, “password”, and “qwerty”, all of which have appeared consistently at the top of global password breach lists for more than a decade. Experts note that such passwords can be cracked in seconds with automated tools.
According to the report, about 42 percent of all passwords analysed were between eight and ten characters long, with eight being the most common length. Roughly 27 percent contained only lowercase letters and numbers, offering little resistance to automated guessing attacks. Despite years of public awareness campaigns, users continue to prioritise convenience and memorability over security strength.
Researchers also found that many passwords combine personal information such as names, birthdays, or sports teams. These patterns make accounts even more vulnerable, since attackers often use dictionary-based methods that test common names and numerical combinations first. Passwords containing personal details are often compromised in the early stages of brute force attempts, leaving accounts exposed.
Weak passwords persist
Analysts attribute continued reliance on weak passwords to habit and fatigue rather than ignorance. Many users underestimate the likelihood of being targeted directly, assuming that attackers focus only on large organisations. Others rely on similar passwords across services because they fear forgetting them. However, credential reuse remains one of the most damaging cybersecurity risks, since one breached account can unlock many others.
The study warns that this pattern allows attackers to launch “credential stuffing” campaigns, in which passwords from one breach are automatically tested across multiple websites. This technique is widely used to compromise email, banking, and social media accounts. Weak or reused passwords make it far easier for criminals to succeed without needing to bypass more advanced security controls.
Experts recommend several practical steps for users. First, every account should have a unique password that is long and complex, ideally at least twelve characters. Passwords should include uppercase and lowercase letters, numbers, and special characters. Second, users should enable multi-factor authentication whenever available, adding an extra layer of protection even if the password is stolen.
Password managers are also strongly recommended for creating and storing secure credentials. These tools generate random combinations that are nearly impossible to guess and eliminate the need to remember multiple long strings. In addition, services that notify users when their data appears in a known breach can help reduce exposure by prompting timely password changes.
Researchers note that many breaches stem from human behaviour rather than system flaws. Simple and repetitive passwords continue to appear across datasets each year, showing that awareness alone is not enough to change habits. Experts argue that consistent education, coupled with better integration of password managers and automatic security alerts, could help shift long-standing user patterns.
The 2025 data demonstrates that password reuse and simplicity remain major weaknesses in online security. Although companies continue to invest in stronger authentication systems, individuals must take greater responsibility for protecting their own accounts. Without meaningful behavioural change, the same weak passwords are likely to dominate future breach reports as well.