Elyse Betters Picaro / ZDNET
Do you ever use “123456,” “admin,” or “password” as the password for a personal or work account? If so, you’re unfortunately not alone and are placing yourself and your employer at risk.
Also: 10 passkey survival tips: Prepare for your passwordless future now
Published last Friday by security news and research outlet Cybernews, a new study of more than 19 billion leaked passwords shows that people still rely on patterns that leave them vulnerable to attack and compromise.
For the study, Cybernews looked at credentials leaked from 200 different incidents over the past 12 months. Using various cyber intelligence tools, the outlet was able to determine such factors as password length, character composition, and the use of special characters and numbers.
The most common (and lazy) passwords still in use
Based on the analysis, lazy passwords such as “1234,” “123456,” “password,” and “admin” are still quite common. Cybernews found “1234” in almost 4% of passwords, more than 727 million. With two extra digits, “123456” appeared in 338 million passwords. Both “password” and “123456” have been among the most popular passwords since at least 2011.
Also: Why multi-factor authentication is absolutely essential in 2025
Cybernews
One problem is that many systems and products come with default passwords, such as routers with “admin” as both the username and password. Too many people never bother to change the defaults, even in a business or industrial environment, leaving their accounts and equipment vulnerable to attack.
Also: 7 password rules security experts live by in 2025 – the last one might surprise you
“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets,” said Neringa Macijauskaitė, information security researcher at Cybernews. “Entries for ‘password’ (56 million) and ‘admin’ (53 million) reveal that users overwhelmingly rely on simple, predictable defaults. Attackers, too, prioritize them, making these passwords among the least secure.”
Widespread epidemic
A whopping 94% of passwords were reused or duplicated, and among the more than 19 billion passwords examined, only 1 billion, or 6%, were considered unique and therefore relatively secure.
“We’re facing a widespread epidemic of weak password reuse,” Macijauskaitė said. “Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication — if it’s even enabled.”
Beyond the usual culprits, other words and terms often pop up as passwords. Many people choose a name as their password or at least as part of it. The name “Ana” appeared in 1% of leaked passwords, or 178 million. Pop culture is also a popular theme. Cybernews uncovered millions of people with passwords such as “Mario,” “Joker,” “Batman,” and “Thor.”
Positive words like “love,” “dream,” “joy,” and “freedom” were found in millions of passwords. On the flip side, profanity finds its way into passwords, with several curse words used by millions of people.
Also: Biometrics vs. passcodes: What lawyers say if you’re worried about warrantless phone searches
Other frequently used passwords include countries, cities, US states, food, popular brands, nature, animals, and seasons or months. Among cities, the most popular password is “Rome.” In the animal kingdom, “lion” and “fox” are common. Many people choose food or drink for passwords, with top choices such as “Tea,” “Apple,” “Rice,” “Banana,” and “Orange.”
Next, Cybernews found that many people (42%) use 8- to 10-character passwords, with eight characters being the most popular. This is likely because many online systems don’t allow passwords shorter than eight characters. Around 27% use only lowercase letters and numbers, not uppercase letters or special characters.
Devising a weak password or reusing the same one is quick and simple — and easy to remember. But at what cost?
The simpler and more common the password, the less effort cybercriminals spend cracking it. Past studies have found that certain passwords can be cracked in less than a minute. Hackers who capture a password from one site will try it at other sites. That leaves you, all your accounts, and even your company exposed to compromise.
Also: The best password managers: Expert tested
“The prevalence of weak, reused, and simple passwords across platforms significantly increases the risk of cyberattacks,” Macijauskaitė added. “If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect. Even without any compromise, hackers can exploit common password patterns.”
How to better protect yourself and your company
With passwords still necessary and still difficult to create and use, what can you do to better protect yourself and your company? Cybernews offers several tips.
- Use a password manager. Such tools can automatically create, store, and apply strong passwords for every account and site you use.
- Use strong and complex passwords. Make sure that your password has at least 12 characters and that it includes lowercase and uppercase letters, numbers, and at least one special character. Avoid using any common or recognizable words, names, or other strings.
- Enable multi-factor authentication. Set up MFA whenever and wherever it’s available. This form of authentication provides a second layer of security. Even if your password is stolen, the attacker can’t access your account without the necessary MFA code.
- Enforce password policies. Organizations should enforce policies that require passwords of at least 12 characters with a mix of uppercase and lowercase letters, numbers, and special characters.
- Review access controls. Organizations should regularly review their access controls and run security audits. Shore up any weaknesses you find to reduce the chances of credentials and data being leaked.
- Monitor for credential leaks. Organizations should use the right tools and technologies to detect leaked credentials in real time. You can then block access or require new passwords for any targeted accounts.
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
