After studying 19 billion passwords, one big problem: Over 90% are terrible

Shawn Knight

Shawn Knight

Posts: 15,626   +198
Staff member
TL;DR: A new study analyzing more than 19 billion passwords from relatively recent data breaches between April 2024 and 2025 has found that the vast majority are weak. Alarmingly, only six percent of the leaked passwords were unique, leading researchers to describe a widespread epidemic of weak password reuse.

Researchers with Cybernews found that most people (42 percent) use passwords that are eight to 10 characters in length, and that close to a third of those analyzed (27 percent) consist of only numbers and lowercase letters. Most online systems require passwords be at least eight characters in length – if not for this requirement, many would no doubt opt for even shorter passwords.

Other popular trends include the use of common names, curse words, cities, countries foods, and animals in passwords.

Despite decades of education on the topic, password security is clearly still a major issue that largely boils down to laziness. Creating a unique and strong password isn't difficult at all, but remembering it is. Unless you physically write them down, it can be next to impossible to remember unique, strong passwords for every account you own.

Instead, many rely on "default" passwords to help secure online accounts. For example, the sequence "1234" was detected in more than 727 million passwords the team analyzed. "Password" was found in 56 million entries and "admin" was used in 53 million. The problem, of course, is that attackers also priorities these common character strings when building word lists to crack a password.

Are Passwords Dead? What Are Passkeys, and Why Everyone's Talking About Them

There are several viable solutions to strengthen online accounts, including password managers and two-factor authentication, but using them takes extra work which goes back to the laziness problem.

The study looked at 19,030,305,929 passwords – 213 GB worth – gathered from around 200 cybersecurity incidents dating back to April 2024. The data was then filtered and anonymized to ensure no personally identifiable information could be gleaned.

Permalink to story:

After studying 19 billion passwords, one big problem: Over 90% are terrible

 
a major issue that largely boils down to laziness
Click to expand...
Okay, way to ruin a moderately good article.

Laziness is not really at the core of the issue. Maybe it is a factor, but the underlying issues is the ability to remember a uniquely strong password (preferably for every website). That is not a practical thing that humans do. The data is talking about 8 Billion (with a B) passwords that are not good enough. Passwords are a crutch that were an easy solution from decades ago

We have all been there, trying numerous times to remember the right password only to be locked out of your account. Sure some times there is a "forgot password" you can try, but then you just have to create another new password. God forbid you lock your account and you actually have to call someone to fix it (Apple or Verizon).

Sure, password managers are a moderately good solution. I have been using one for years and try to get all my family members and friends to use one. However, you now have to have one for every computer or phone you have. For me, between work and home, that is a lot and a real pain to always have to open up an app or browser plugin every time I want to login, which is pretty much every website now a days. BitWarden does a really good job, but even then there are times, especially on my iPhone, that I can't get it to work correctly. I am forced to try to open the app or go to my computer and try to find the login and password, then manually copy it.

Obviously, the tech industry is working to resolve this with a variety of solutions. It is still a scatter shot of things right now, which in some ways makes it worse. Do I get a text? Do I have to have some special key saved to my computer/phone, CAPTCHAs, face id, finger print, etc.......????
 
  • Like
Reactions: passwordistaco and m4a4
Dr Roboto said:
Okay, way to ruin a moderately good article.

Laziness is not really at the core of the issue. Maybe it is a factor, but the underlying issues is the ability to remember a uniquely strong password (preferably for every website). That is not a practical thing that humans do. The data is talking about 8 Billion (with a B) passwords that are not good enough. Passwords are a crutch that were an easy solution from decades ago

We have all been there, trying numerous times to remember the right password only to be locked out of your account. Sure some times there is a "forgot password" you can try, but then you just have to create another new password. God forbid you lock your account and you actually have to call someone to fix it (Apple or Verizon).

Sure, password managers are a moderately good solution. I have been using one for years and try to get all my family members and friends to use one. However, you now have to have one for every computer or phone you have. For me, between work and home, that is a lot and a real pain to always have to open up an app or browser plugin every time I want to login, which is pretty much every website now a days. BitWarden does a really good job, but even then there are times, especially on my iPhone, that I can't get it to work correctly. I am forced to try to open the app or go to my computer and try to find the login and password, then manually copy it.

Obviously, the tech industry is working to resolve this with a variety of solutions. It is still a scatter shot of things right now, which in some ways makes it worse. Do I get a text? Do I have to have some special key saved to my computer/phone, CAPTCHAs, face id, finger print, etc.......????
Click to expand...
I can't wait until I can login using a scan of my colon.
 
  • Like
Reactions: passwordistaco
I'd say the only lazy thing about passwords these days are the IT engineers (or higher-ups) thinking that a short password with forced human-unreadable qualities makes a good password.

I'll never tire of referencing this:
password_strength_2x.png


And yes, using common words/phrases is not going to help against a dictionary attack, but forcing these arbitrary rules just needs to stop. It just makes people take more shortcuts to remember stuff.
 
  • Like
Reactions: wiyosaya, passwordistaco and New Day
What do you expect? With so many reading, spelling and doing math at a third grade level why would anyone expect long and hard to recall passwords to be the norm?
 
  • Like
Reactions: p51d007
RudyBob said:
What do you expect? With so many reading, spelling and doing math at a third grade level why would anyone expect long and hard to recall passwords to be the norm?
Click to expand...

Though I would enjoy it if they did, people don't need to know how to spell.

The stark-*** majority of people don't nor need to do math. They may do some light accounting.

Reading in the US, perhaps. Oh wait, but US es da best! And your ******* falls out in your befuddlement.
 
Yes, the password requirement administrators should stop imposing their rigid so-called minimum set of must-include characters and maximum limit.

Allowing people to create passwords with ANY character, including spaces, will be a much option than following a strict set of rules. These rules can be used as a template to crack the passwords themselves.
 
  • Like
Reactions: Theinsanegamer and BadThad
New Day said:
Though I would enjoy it if they did, people don't need to know how to spell.

The stark-*** majority of people don't nor need to do math. They may do some light accounting.

Reading in the US, perhaps. Oh wait, but US es da best! And your ******* falls out in your befuddlement.
Click to expand...
Yes people need to know how to spell and do math. The USA is exceptional
 
  • Like
Reactions: HERBB
Currently using:
-Passkeys for Amazon, Google and Microsoft.
-Unique 12+ character passwords including symbols, upper and lower case and numbers for all passwords.
-Passwords backed up externally.
-No 2FA involving my phone in case it's not accessible to me.

I still need to change my default router username and password. Will probably do it tomorrow. I enjoyed not having to input wifi password again fory devices after a reset, but a new wifi credentials backup feature available on my router will make that easier to recover from the next time it happens. It's a TP-Link router too. 😬
 
amghwk said:
Yes, the password requirement administrators should stop imposing their rigid so-called minimum set of must-include characters and maximum limit.

Allowing people to create passwords with ANY character, including spaces, will be a much option than following a strict set of rules. These rules can be used as a template to crack the passwords themselves.
Click to expand...
amghwk said:
Yes, the password requirement administrators should stop imposing their rigid so-called minimum set of must-include characters and maximum limit.
Click to expand...


The issue is they have to. Regulations like PCI, HIPA and many others.

As someone who is charged with implementing these "arbitrary" rules that users hate, we have no choice. Its forced on us too and we largely think its crap too.

Anyone thinking a password is saving them or protecting them no matter how complex has already lost the game.

Even 2fa is easy to circumvent given the proper tools and knowledge.

Everyone in the industry worth their salt that I personally know is pushing for 2 factor but its something you own and something you ARE. So it could be a password or your phone but it would also need to be a biometric of some sort. Compounded with things like device trust where even with those things access would be denied if the system isnt "known" by the domain are where we need to be.

Passwordless is the future.

And when it comes to privilege, zero standing privilege folks!
 
RudyBob said:
Yes people need to know how to spell and do math. The USA is exceptional
Click to expand...
No matter how much you would like to change the conversation on this subject to USA, USA, USA, no one needs a degree in spelling or a degree in mathematics to successfully manage passwords, @RudyBob. The graphic posted by @m4a4 clearly states all that is necessary.
 
m4a4 said:
I'd say the only lazy thing about passwords these days are the IT engineers (or higher-ups) thinking that a short password with forced human-unreadable qualities makes a good password.

I'll never tire of referencing this:
password_strength_2x.png


And yes, using common words/phrases is not going to help against a dictionary attack, but forcing these arbitrary rules just needs to stop. It just makes people take more shortcuts to remember stuff.
Click to expand...
All this is good. However, I disagree about the dictionary attack angle. A dictionary attack can be circumvented by stringing together multiple words. Certainly, one common word as a password can be defeated in a dictionary attack, but multiple words strung together add up to a substantially different number of combinations - as the "correcthorsebatterystaple" phrase indicates. That, as a password, has 44-bits of entropy and would take a long time to hack - as I am sure you know.

Here's a site I have found useful for determining how difficult any password is to hack https://www.grc.com/haystack.htm That site also does a good job of explaining entropy.
 
  • Like
Reactions: Thrackerzod
wiyosaya said:
All this is good. However, I disagree about the dictionary attack angle. A dictionary attack can be circumvented by stringing together multiple words. Certainly, one common word as a password can be defeated in a dictionary attack, but multiple words strung together add up to a substantially different number of combinations - as the "correcthorsebatterystaple" phrase indicates. That, as a password, has 44-bits of entropy and would take a long time to hack - as I am sure you know.

Here's a site I have found useful for determining how difficult any password is to hack https://www.grc.com/haystack.htm That site also does a good job of explaining entropy.
Click to expand...

You could make it even longer and throw in some numbers and punctuation and it would still be just as easy to remember. "In1997DanielandIwentsurfinginHawaii!" Trouble is coming up with a different sentence for every account you have. Personally I just use KeePass then I only have to remember a single password.
 
You must log in or register to reply here.

Similar threads

Shawn Knight
Smartphone market slows worldwide, Apple and Samsung still lead the pack
Replies
7
Views
43
scoffer
S
Daniel Sims
Boox debuts Mira Pro Color 25" e-ink monitor for work and coding
Replies
2
Views
41
VitalyT
VitalyT
A
Wikipedia turns to generative AI to support its volunteer community
Replies
0
Views
19
Alfonso Maruccia
A

Latest posts

Back