Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS
Password written on sticky note

New study shows password crisis worsening as weak and reused credentials remain dominant

Just 6% of all passwords considered secure against common attack vectors

CampusIDNews Staff   ||   May 09, 2025  ||   

A new study by the Cybernews research team examined a dataset containing more than 19 billion passwords made public in recent breaches. The goal was to determine the number of weak vs. strong and unique vs. reused passwords.

The results were far from encouraging.

Researchers looked at exposed credentials from about 200 breaches that occured between April 2024 and April 2025.

Passwords containing ultra-common terms like “password”, “admin”, and “123456” remain the most common.

One researcher called it an epidemic of weak password reuse, with just 6% of passwords being unique. For the other 94% of weak or reused passwords, the only defense against dictionary attacks is two-factor authentication.

Despite a decade-long effort to educate users about password security, there has been little progress.

Common terms, short passwords prevalent

Users included “1234” in 4% of all passwords. “Password” and “123456” have been the most common passwords throughout the 2010s and 2020s.

People's names were the second most prevalent component. The 100 most popular names of 2025 were included in 8% of all passwords. Common words like “love” and pop culture terms like “batman” were also extremely reused.

42% of all passwords are between 8 and 10 characters, but experts say 12-characters is the minimum to ensure security.

Most people use eight-to-ten-character passwords (42%), with eight the most popular.

One-third (27%) contain only lowercase letters and digits, significantly increasing vulnerability.

But this is changing.

Research from 2022 found that only 1% of passwords used a mix of lowercase, uppercase, numbers, and symbols. This 2025 study found that number has grown dramatically to 19%, likely due to stricter platform requirements.

Protecting your accounts

In addition to researchers, attackers have access to these password lists and many others. As new breaches occur, they add to their lists and continually refine attacks.

Weak, reused, and obvious passwords increase your chance to fall victim to an attack. If you reuse passwords across multiple services and accounts, a breach in one system can compromise other accounts.

More than one-quarter of the passwords contain only lowercase letters and digits, rather than the recommended mix of uppercase, lowercase, digits, and special characters.

All users should take steps to improve their password habits.

  • Use a password manager
  • Never reuse passwords and make sure they include a mix of at least 12 characters of all character types.
  • Use multi-factor authentication (MFA)
  • Set up password policies within your organization to meet these requirements.
Subscribe to our weekly newsletter

RECENT ARTICLES

Apex OrderHQ Array modular lockers
Jul 02, 25 /

Modular locker solution streamlines campus order pickup

Apex Order Pickup Solutions launched a new modular system of automated order pickup lockers that can be stacked or setup in custom configurations. The OrderHQ Array Series lockers work in any floor plan without expensive remodeling. In an interview with Food On Demand, Kent Savage, founder and executive chairman of Apex Order Pickup Solutions, compares […]
Amy Surprenant, HID Global
Jun 26, 25 / ,

Effective project management key to GWU mobile credential launch

In a recent interview, HID Global’s Amy Surprenant discusses the project management component of the mobile credential launch at George Washington University (GWU). With 26,000 faculty, staff, and students, the project marked a significant milestone for the institution and its partners, including HID, CBORD, and various on-campus departments and vendors. The deployment of HID Mobile […]
replace allegion reader module
Jun 26, 25 / ,

FIT and Denison both go mobile, but with very different starting points

Denison University and Florida Institute of Technology (FIT) rolled out mobile credentials to students and staff across their campuses. The projects were very different, however, because of the existing reader infrastructure on the two campuses. Each partnered with Allegion and Transact + CBORD to deliver the new digital IDs – stored in Apple Wallet or […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself. http://WomenInBiometrics.com

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2025 CampusIDNews. All rights reserved.