Listen to this Post
In a striking new cybersecurity analysis, Cybernews uncovered that a staggering 94% of passwords leaked in recent data breaches were reused or duplicated across different platforms. Drawing from over 19 billion exposed passwords gathered between April 2024 and early 2025, the study raises serious red flags about user habits and the continuing global failure to adopt stronger password hygieneâeven after countless wake-up calls from massive data leaks.
The report emphasizes that despite growing awareness of cybersecurity threats, the vast majority of users still rely on predictable and overly simplistic password combinations. This creates a massive attack surface for cybercriminals who thrive on password reuse and predictable user behavior.
Key Findings
94% of leaked passwords were reused, meaning users repeated the same or slightly modified credentials across multiple accounts.
Only 6% of passwords were unique, underscoring the persistent problem of weak password practices.
The research analyzed over 19 billion passwords leaked across 200+ breaches, totaling more than 3 terabytes of compromised data.
Common entries included obvious passwords like “1234” (727 million uses), “123456” (338 million), “password”, “admin”, and short, weak phrases like “pass” or names like “Ana” (178.8 million uses).
Emotional or pop culture keywords appeared frequently, with “love” (87M), “joker” (3.1M), “batman” (3.9M), “thor” (6.2M), and even Disneyâs “elsa” (2.9M) showing up regularly.
Profanity and slang were not spared: terms like “ass” (165M), “fuck” (16M), “shit” (6.5M), and “bitch” (3.2M) were alarmingly common.
Food names, brands, and cities were also overused. “pizza”, “apple”, “google”, “facebook”, and “rome” all featured prominently.
A modest improvement in password complexity was observed: passwords using mixed characters rose from 1% in 2022 to 19% in 2025.
The average password length fell within the 8â10 character range, with most containing only lowercase letters and numbers.
Recommendations include shifting to longer, unique passwords and enabling two-factor authentication (2FA).
What Undercode Say:
From a cybersecurity standpoint, these findings reveal an alarming stagnation in user behavior, despite overwhelming evidence that weak passwords are one of the top vectors for account compromise.
- Credential Stuffing Attacks Thrive: When users recycle passwords, attackers can use leaked credentials to access multiple accounts in a process called credential stuffing. This is especially dangerous with weak or obvious passwords. Once a single breach occurs, the domino effect can be devastating.
Corporate Security Still Vulnerable: Passwords like “admin” and “123456” suggest that even within enterprise environments, security hygiene is being ignored. Default or simplistic admin credentials often serve as the entry point in major data breaches.
Human Psychology at Play: The frequent appearance of names, emotions, food, pop culture, and profanity reveals how password creation is influenced more by familiarity and personal relevance than by security logic.
False Confidence in Minor Variants: Users often think adding a few characters or numbers to a weak base password makes it secure (e.g., âPassword123â or âAna1992â). In reality, these patterns are easily guessed or cracked using basic brute-force techniques.
5. Low Password Complexity Still Dominates: Even though
Most Leaked Passwords Are Easily Crackable: Passwords such as âsunâ, âjoyâ, âfreedomâ, or âpizzaâ are not just simplisticâthey also often lack entropy. Attackers using dictionary attacks can break into accounts within seconds if such terms are used.
Data Reuse Indicates Complacency: The study indicates not just laziness, but a widespread underestimation of personal risk. Users assume they wonât be targeted, yet automation allows hackers to target thousands of accounts in parallel.
Education Is Not Enough: Awareness campaigns alone are insufficient. Platforms need to enforce strong password policies and remove the option to use short or dictionary-based passwords entirely.
The Rise of 2FA Adoption: While not widespread, the growth in multi-factor authentication is encouraging. This should be made mandatory for all sensitive platformsâespecially financial services and enterprise tools.
Behavioral Trends Must Be Broken: Until password selection becomes randomized or system-generated by default (such as via password managers), the trend of using familiar, sentimental, or offensive words will likely continue.
In short, password misuse is not just a user problemâitâs a systemic weakness that platforms must address aggressively. Repetition, predictability, and laziness remain the Achilles’ heel of digital security.
Fact Checker Results
Claim Verified: 94% of leaked passwords in recent data sets were reused.
Sources Cross-Checked: Major breach data (Snowflake, SOCRadar) confirms high volumes of recycled credentials.
Accuracy: Password frequency lists match known breach pattern databases (e.g., Have I Been Pwned, RockYou2024).
Prediction
With AI-driven attacks and password-cracking tools becoming more sophisticated, we predict that reused or simple passwords will continue to be the leading cause of security breaches into 2026 and beyond. Unless platforms begin enforcing zero-tolerance policies for weak credentials and mandating multifactor authentication, the cycle of breaches, leaks, and account hijackings will only escalate.
We also foresee a rise in passkey adoption and biometric authentication as alternatives to passwordsâespecially in mobile-first regions. However, global transition will be slow, particularly in developing markets where education and enforcement lag behind.
Would you like a downloadable infographic summarizing the most common passwords used in 2025?
References:
Reported By: timesofindia.indiatimes.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
