A new study by the Cybernews research team examined a dataset containing more than 19 billion passwords made public in recent breaches. The goal was to determine the number of weak vs. strong and unique vs. reused passwords.

The results were far from encouraging.

Researchers looked at exposed credentials from about 200 breaches that occured between April 2024 and April 2025.

Passwords containing ultra-common terms like “password”, “admin”, and “123456” remain the most common.

One researcher called it an epidemic of weak password reuse, with just 6% of passwords being unique. For the other 94% of weak or reused passwords, the only defense against dictionary attacks is two-factor authentication.

Despite a decade-long effort to educate users about password security, there has been little progress.

Common terms, short passwords prevalent

Users included “1234” in 4% of all passwords. “Password” and “123456” have been the most common passwords throughout the 2010s and 2020s.

People's names were the second most prevalent component. The 100 most popular names of 2025 were included in 8% of all passwords. Common words like “love” and pop culture terms like “batman” were also extremely reused.

42% of all passwords are between 8 and 10 characters, but experts say 12-characters is the minimum to ensure security.

Most people use eight-to-ten-character passwords (42%), with eight the most popular.

One-third (27%) contain only lowercase letters and digits, significantly increasing vulnerability.

But this is changing.

Research from 2022 found that only 1% of passwords used a mix of lowercase, uppercase, numbers, and symbols. This 2025 study found that number has grown dramatically to 19%, likely due to stricter platform requirements.

Protecting your accounts

In addition to researchers, attackers have access to these password lists and many others. As new breaches occur, they add to their lists and continually refine attacks.

Weak, reused, and obvious passwords increase your chance to fall victim to an attack. If you reuse passwords across multiple services and accounts, a breach in one system can compromise other accounts.

More than one-quarter of the passwords contain only lowercase letters and digits, rather than the recommended mix of uppercase, lowercase, digits, and special characters.

All users should take steps to improve their password habits.

• Use a password manager
• Never reuse passwords and make sure they include a mix of at least 12 characters of all character types.
• Use multi-factor authentication (MFA)
• Set up password policies within your organization to meet these requirements.