Changing “admin” to “admin1” or changing “password” to “Password1” gives the illusion of a security effort. However, this type of modification is among the riskiest practices in identifier management. A recent analysis highlights a very widespread behavior: Instead of creating a completely separate password for each service, many users recycle the same password with slight variations.
The figures illustrate the scale of the phenomenon
In the United States, nearly two out of three Internet users admit to reusing their passwords across multiple accounts. The finding is similar in the United Kingdom and Germany. On average, the same password is used for around five different servicesand a significant minority admit to using it for ten or more accounts. The problem is well known, when a single identifier is compromised, it can serve as a gateway to other, sometimes sensitive, digital spaces.
Superficially changing a password has become a habit. Among those who reuse their identifiers, a majority explain that they simply add or modify a number, a letter or a special character. However, these transformations are precisely those that attack software tests as a priority. Hackers no longer just try a raw password, their tools automatically apply common variations, increment numbers or change the case to multiply attempts in seconds.
The most frequent examples confirm this logic of ease
Numerical sequences like 12345 or 12345678 remain omnipresent, as do variations around the word “admin”. Combinations inspired by the keyboard, repetitions of numbers or letters, or even simple words accompanied by a number are also widely represented. At first glance, these passwords may seem different from each other. In practice, they follow very identifiable patterns, which leaked password databases can map.
In the list of “200 Most Common Passwords 2025,” researchers found 119 almost identical passwords, which were divided into seven approximate groups:
- Variations of sequential numbers. Examples: 12345, 123456, 1234567, 987654321.
- Variations of “Admin”. Examples: admin, Admin, adminadmin, admin123.
- Variations of “password”. Examples : password, Password1, m0td3p@ss3, M0td3p4ss3.
- Keyboard pattern variations. Examples: azerty, azerty123, abcd1234, Abcd@1234.
- Variations of repeating patterns. Examples: 11111111, 111111111, aa112233, aabb1122.
- Variations of common words. Examples: hello, Hello1, test123, Test@123.
- Prefix/suffix variations. Examples: a123456, Aa123456, Aa@123456, 12345678a.
This fragility is not limited to the personal sphere, in business these practices can circumvent certain internal rules, since a slightly modified password sometimes formally respects the imposed requirements. This makes it difficult for IT teams to detect. The risk is then greater because compromised access can serve as a basis for deploying ransomware, exfiltrating data or carrying out blackmail.
If these behaviors persist, it is also for practical reasons. A significant portion of Internet users believe they have too many accounts to manage to memorize a unique password each time. Between professional services, banking applications, streaming platforms, social networks and merchant sites, the number of identifiers accumulates quickly. Some estimates suggest several hundred passwords per person. In this context, the temptation to simplify is strong, especially as a minority of users continue to minimize the danger.
To reduce risks, several levers exist, even if they are not infallible
Raising awareness in businesses can limit the reuse of identifiers, provided that it is sustained over time. Internal policies can also incorporate automatic controls preventing the use of passwords that are already compromised or too close to known combinations. Multi-factor authentication, which requires additional validation via a temporary code or a trusted device, now provides effective protection against account takeover.
Password managers represent another avenue. By generating long, random combinations and then storing them securely, they avoid relying on memory and reduce the temptation of predictable variations. Finally, access keys, based on device cryptography and biometrics, are starting to be deployed on certain major platforms. Their adoption remains gradual, but they could ultimately limit the use of traditional passwords. It remains to be seen whether these solutions will succeed in changing entrenched habits.
🟣 To not miss any news on the WorldOfSoftware, follow us on Google and on our WhatsApp channel. And if you love us, .
