Study reveals alarming trends in password creation
May 13, 2025
Business Cybersecurity

World Password Day: Study reveals alarming trends in password creation

By Arnold Pinto No comment
Password

Over 90% of users still opt for weak choices.

Cybersecurity researchers have revealed troubling findings about how people create their passwords. In a study of over 19 billion passwords, the researchers discovered that 94% are weak, reused, or simple, making them highly vulnerable to hacking attempts.

The findings coincide with World Password Day, which is on May 1, 2025.

World Password Day is a day dedicated to raising awareness about the importance of password security and promoting good password practices to enhance online security.

The research highlights common patterns users continue to rely on, even in 2025, despite widespread awareness of cybersecurity risks. The results underscore the ongoing challenge of combating weak password habits and the urgent need for better security practices.

Cybernews, a cybersecurity platform, conducted an in-depth analysis of over 19 billion exposed passwords from recent data leaks, examining how people choose their credentials.

Of the 19,030,305,929 passwords in the dataset, only 1,143,815,266 (about 6%) were identified as unique. This glaring lack of originality in password creation is a key factor making millions of accounts vulnerable to brute-force and dictionary attacks.

“Default” passwords

One of the study’s most concerning findings is the persistence of “default” passwords, such as “password” and “admin,” which continue to dominate the landscape of leaked credentials. These passwords are among the most commonly found in recent data breaches.

“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets,” said Neringa Macijauskaitė, an information security researcher at Cybernews. The study revealed that 56 million passwords used “password,” while 53 million used “admin.” Despite years of warnings, users rely on these simple, predictable passwords, which cybercriminals often target first.

The analysis also shed light on the length and composition of passwords. Most people, 42%, use passwords between 8 and 10 characters long, with eight characters being the most popular choice.

Almost a third (27%) of passwords consisted only of lowercase letters and digits, while 19% included a mix of uppercase and lowercase letters and numbers but lacked special characters. This suggests that many users still opt for shorter and simpler passwords, which are more easily cracked by attackers using automated tools.

While using uppercase letters, numbers, and special characters has become more common, the study found that many passwords still fail to meet the recommended complexity. Researchers noted a slight improvement, with 19% of passwords now using a mix of characters, compared to just 1% in previous studies. However, this remains a small step in addressing a widespread issue that continues to leave users vulnerable to attacks.

Interestingly, the study also highlighted the most commonly used themes in password creation. Names, animals, food, and pop culture references were prevalent. For instance, “Ana” was the most frequently used name in passwords, appearing in nearly 179 million entries.

The study also found that users frequently turned to positive words for inspiration, such as “love” (87 million uses), “dream” (6.1 million), and “freedom” (2 million). However, the popularity of such standard terms can make passwords easier for attackers to guess.

Pop culture references were also standard. For example, characters like Mario (9.6 million), Joker (3.1 million), and Elsa from Disney’s Frozen (2.9 million) appeared frequently in passwords. Though familiar and easy for users to remember, these references create an easy path for attackers who exploit predictable patterns.

Profanity was another surprising theme found in many passwords. Words like “ass,” which appeared in 165 million passwords, and other offensive terms were widely used, despite their potential to weaken security. “Passwords built from profane or offensive words might seem rare, but they are very common in practice,” said Macijauskaitė. Many users seem to personalise their passwords using offensive language, but these passwords are vulnerable to attacker wordlists, which include common profanities.

The study also highlighted the dangerous practice of reusing passwords across multiple platforms. This habit significantly increases the risk of cyberattacks, especially when users use weak or default passwords. A breach in one system can expose various accounts, allowing attackers to exploit repeated passwords across platforms.

Researchers pointed out that hackers often conduct credential-stuffing attacks, using automated tools to try large volumes of leaked usernames and passwords across different websites.

Even if the success rate is as low as 0.2%, the sheer volume of attempts makes these attacks profitable. Over 36 million passwords from the study included references to food, with “tea” being the most popular, followed by “apple” and “rice.” Meanwhile, 25.9 million passwords, including “Google,” show how commonly used brands and platforms are incorporated into password creation.

Action urged

Experts call for stronger password practices and improved security measures due to the widespread use of weak passwords. The Cybernews researchers recommend several strategies for individuals and organisations to follow. The first step is to use password managers, which can generate and store unique, strong passwords for each service. This reduces the temptation to reuse passwords and ensures each account is properly secured.

Additionally, experts advise against using easily guessable information, such as names, months, or popular terms. A strong password should be at least 12 characters long and contain a mix of uppercase letters, lowercase letters, numbers, and special characters. Users should also enable multi-factor authentication (MFA) wherever possible, adding an extra layer of protection.

Organisations, too, have a role to play in promoting stronger password hygiene. They should enforce policies that require longer, more complex passwords and regularly audit their security systems to identify potential weaknesses. Moreover, using data hashing algorithms and detecting credential leaks in real-time can help mitigate the impact of exposed passwords.

The findings of this study illustrate the ongoing struggles with weak password habits, despite years of awareness campaigns and educational efforts. The results indicate a pressing need for stronger security practices and more widespread adoption of advanced authentication methods.

With attackers continuing to exploit weak passwords, it is clear that individuals and organisations must take responsibility for improving their password hygiene. The battle against weak passwords is far from over, and the need for more secure practices has never been more urgent.

Image: The study highlighted the dangerous practice of reusing passwords across multiple platforms. Credit: Tima Miroshnichenko

Last Updated on 2 weeks by Arnold Pinto

Tags:
Arnold Pinto

Arnold Pinto

Arnold Pinto is an award-winning journalist with wide-ranging Middle East and Asia experience in the tech, aerospace, defence, luxury watchmaking, business, automotive, and fashion verticals. He is passionate about conserving endangered native wildlife globally. Arnold enjoys 4x4 off-roading, camping and exploring global destinations off the beaten track. Write to: arnold@menews247.com
Follow Me:

Related Posts

BEAT THE HEAT THIS SUMMER WITH A FREE AC CHECKUP FROM LG

By
Leap

Cloudera to unveil GenAI and data innovations at LEAP 2024

By PR News Desk

Esports company banks on Asian and Pakistan’s dominance for public listing

By Aman Kumar

Leave a Reply

Your email address will not be published. Required fields are marked *

About Us

Contact Us

Email: press@menews247.com

WhatsApp: +971 56 852 2508