In a shocking revelation that underscores the ongoing issues of digital security, cybersecurity researchers have discovered that over 19 billion passwords are circulating online, with a staggering 94% of them being reused across various accounts and services. This massive analysis, conducted by Cybernews, examined more than 200 data breaches that occurred between April 2024 and April 2025, leading to the exposure of 19,030,305,929 real passwords.
What’s even more alarming is that only 6% of these leaked passwords were unique, highlighting a widespread epidemic of weak password reuse. The findings indicate that many users continue to rely on default, easy-to-guess passwords, making it easier for hackers to gain unauthorized access to sensitive information.
According to Neringa Macijauskaitė, an information security researcher at Cybernews, “Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize. It’s recommended to use at least 12 characters for a password.” This advice is crucial, especially given that 42% of the leaked passwords were only 8-10 characters long, and 27% contained only lowercase letters and numbers, lacking any special characters or mixed-case variations.
The analysis revealed some of the most commonly used passwords, which are alarmingly simple and predictable. For instance, the sequence “1234” was found in nearly 4% of all passwords, amounting to over 727 million instances. When the sequence is expanded to “123456,” it appears in an additional 338 million passwords. Other frequently used passwords included “Password,” which was found in 56 million passwords, and “admin,” appearing in 53 million.
Macijauskaitė noted, “The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets. Attackers, too, prioritize them, making these passwords among the least secure.” This ongoing issue emphasizes the need for users to take password security seriously.
Furthermore, the research indicated that many passwords are based on people’s names, with “Ana” being the most common name found in a staggering 178.8 million passwords. The researchers cross-referenced the dataset with the 100 most popular names of 2025, finding an 8% chance that a name is used in a password. This reliance on personal names makes passwords even more vulnerable to hacking attempts.
Interestingly, the study also highlighted the use of profanity in passwords. The F-word appeared in 16 million passwords, while the term “ass” was found an astonishing 165 million times. Such choices reflect a troubling trend where users opt for memorable but insecure options.
In an effort to better understand password creation habits, Cybernews analyzed the use of positive concepts and pop culture references. Dominating their positive wordlist were terms like “love” (87 million), “Batman” (34 million), “dream” (6.1 million), “joy” (6.9 million), and “freedom” (2 million). Popular culture terms such as “Mario” (9.6 million), “Joker” (3.1 million), “Thor” (6.2 million), and “Elsa” from Disney's “Frozen” (2.9 million) were also prevalent.
Macijauskaitė explained the psychology behind these choices: “Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers.” This insight reveals the dual nature of password selection, where familiarity can lead to insecurity.
To combat these alarming trends, cybersecurity experts recommend several strategies for creating stronger passwords. Firstly, using password managers can help generate and store unique, strong passwords for every service, reducing the temptation to reuse passwords across different platforms. Additionally, users should avoid reusing passwords entirely and ensure their passwords are at least 12 characters long, incorporating a mix of uppercase and lowercase letters, numbers, and special symbols.
Moreover, enabling multi-factor authentication (MFA) wherever possible adds an extra layer of security, minimizing the risk of unauthorized access even if passwords are compromised. Organizations are also encouraged to enforce password policies that require complexity and length, ideally aiming for passwords of at least 16 characters.
Organizations should implement adequate data hashing algorithms and configurations while continuously reviewing existing security standards surrounding data transit and storage. Regularly reviewing access controls and performing security audits can significantly enhance a company’s security posture and reduce the risk of users’ data being leaked.
Lastly, monitoring and reacting to credential leaks is essential. Organizations should adopt tools and platforms capable of detecting leaked credentials in real time, allowing them to block access or require resets for affected accounts instantly. Such proactive measures are crucial in today’s digital landscape.
As the findings from Cybernews illustrate, the digital security landscape remains fraught with challenges. With millions of passwords still relying on weak patterns and easily guessable sequences, users must take responsibility for their online security. By adopting stronger password practices and encouraging others to do the same, we can collectively improve our defenses against cyber threats.
