Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS
Password written on sticky note

New study shows password crisis worsening as weak and reused credentials remain dominant

Just 6% of all passwords considered secure against common attack vectors

CampusIDNews Staff   ||   May 09, 2025  ||   

A new study by the Cybernews research team examined a dataset containing more than 19 billion passwords made public in recent breaches. The goal was to determine the number of weak vs. strong and unique vs. reused passwords.

The results were far from encouraging.

Researchers looked at exposed credentials from about 200 breaches that occured between April 2024 and April 2025.

Passwords containing ultra-common terms like “password”, “admin”, and “123456” remain the most common.

One researcher called it an epidemic of weak password reuse, with just 6% of passwords being unique. For the other 94% of weak or reused passwords, the only defense against dictionary attacks is two-factor authentication.

Despite a decade-long effort to educate users about password security, there has been little progress.

Common terms, short passwords prevalent

Users included “1234” in 4% of all passwords. “Password” and “123456” have been the most common passwords throughout the 2010s and 2020s.

People's names were the second most prevalent component. The 100 most popular names of 2025 were included in 8% of all passwords. Common words like “love” and pop culture terms like “batman” were also extremely reused.

42% of all passwords are between 8 and 10 characters, but experts say 12-characters is the minimum to ensure security.

Most people use eight-to-ten-character passwords (42%), with eight the most popular.

One-third (27%) contain only lowercase letters and digits, significantly increasing vulnerability.

But this is changing.

Research from 2022 found that only 1% of passwords used a mix of lowercase, uppercase, numbers, and symbols. This 2025 study found that number has grown dramatically to 19%, likely due to stricter platform requirements.

Protecting your accounts

In addition to researchers, attackers have access to these password lists and many others. As new breaches occur, they add to their lists and continually refine attacks.

Weak, reused, and obvious passwords increase your chance to fall victim to an attack. If you reuse passwords across multiple services and accounts, a breach in one system can compromise other accounts.

More than one-quarter of the passwords contain only lowercase letters and digits, rather than the recommended mix of uppercase, lowercase, digits, and special characters.

All users should take steps to improve their password habits.

  • Use a password manager
  • Never reuse passwords and make sure they include a mix of at least 12 characters of all character types.
  • Use multi-factor authentication (MFA)
  • Set up password policies within your organization to meet these requirements.
Subscribe to our weekly newsletter

RECENT ARTICLES

Harvard's Crimson Cash ends

Harvard’s Crimson Cash ends as laundry and printing move to other payment methods

Last summer, Harvard announced that it was phasing out its decades-old Crimson Cash declining balance program. Citing declining usage and the prevalence of open system debit and credit cards, they began a yearlong multi-step elimination plan. This month, the final stages of this plan will be complete, and the one of higher ed’s pioneering declining […]
Jeff Bransfield, Assa Abloy, discusses iDFace Max terminal

New facial recognition reader stores 100,000 templates, ideal for dining and athletics

A new facial recognition reader from Assa Abloy’s Control iD line can store 100,000 templates on the device, enabling standalone usage or integration with existing security systems. In a conversation with CampusIDNews, Jeff Bransfield, Regional Director of Digital Access Solutions for Assa Abloy, introduces the iDFace Max. The new seven-inch facial identification terminal is receiving […]
SNHU building
Jun 11, 25 / ,

Second largest university replaces outdated hardware with Allegion readers

While most people know Southern New Hampshire University as a private, online institution, it does have a physical campus. Its 3,000 students need ID cards, and its facilities require security and other transaction-related services. In terms of total enrollment, SNHU is the second largest accredited higher ed institution in the country. With more than 175,000 […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself. http://WomenInBiometrics.com

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2025 CampusIDNews. All rights reserved.