Odds are your passwords sucks. That’s what a new study from Cybernews shows, at any rate.
Since April 2024, over 200 data breaches and leaks have compromised 19 billion passwords that are available online right now for any and all to see. In reviewing these 19 billion leaked passwords, the Cybernews research team found that a measly 6 percent were unique, meaning the passwords weren’t reused elsewhere or included common phrases that are child’s play for hackers to crack.
As if that weren’t bad enough, some of the most commonly used ones are long-time members of the hall of password shame. Cybernews found “password” was used 56 million times, “admin” 53 million times, and “123456” a whopping 338 million times in the data set.
“The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets,” said Neringa Macijauskaitė, information security researcher at Cybernews. “Attackers, too, prioritize them, making these passwords among the least secure.”
After preset passwords, people’s names were the second most prevalent component.
“We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,” said Macijauskaitė.
The researchers also discovered that a surprising number of passwords rely on curse words, with 16 million passwords including the F-bomb, for instance.
Roughly one-third of all the passwords reviewed only used lowercase letters and digits, and almost 20% of unique passwords mixed case letters and numbers, but lacked special characters.
That might not immediately flag as a concern, but these kinds of passwords are much easier to crack using brute-force in what’s known as dictionary attacks, when hackers employ a preselected library of common words and phrases to guess a password. Just over a billion of the passwords Cybernews reviewed were strong enough to resist dictionary attacks.
“We’re facing a widespread epidemic of weak password reuse,” said Macijauskaitė. “Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication—if it’s even enabled.”
Here’s how to make a stronger password
With the rise of artificial intelligence and other sophisticated hacking techniques, it’s becoming easier and easier for cybercriminals to crack your passwords. To best protect yourself, you’ll want to use strong, unique passwords for each of your online accounts.
But what makes a password weak or strong to begin with? For starters, four-character passwords are virtually useless, and those without symbols are especially vulnerable to attacks.
Among the unique passwords Cybernews reviewed, a few commonalities emerged. The most popular length was between 8 to 10 characters. Ideally, you want to aim for between 14 to 18 characters for a strong password. If you’re going to stick to creating your own passwords, be sure to include a variety of numbers, upper and lowercase letters and symbols.
Keeping all that in your head is no easy task, though. One of the security recommendations we give frequently is to get one of the best password managers. That way you can store all your credentials in one secure place to save yourself the hassle.
Some online accounts also have the option to set up a passkey or use a biometric login as well. On that same note, enable multi-factor authentication on as many accounts as possible as a failsafe to help protect your data even if your password is compromised.
Finally, and this may be obvious, but it bears repeating: Once you’ve got your strong password in place, don’t share it with anyone.
More from Tom’s Guide
