Two in three passwords exposed in major data leaks between 2023 and 2026 could be cracked within a single day - a finding that lays bare just how little most users' security habits have changed despite years of public warnings. Kaspersky, the global cybersecurity firm, reached that conclusion after analysing 231 million unique passwords drawn from real-world breaches, producing what amounts to a detailed portrait of how people actually protect their accounts, rather than how they claim to.
The Patterns That Make Passwords Easy Targets
The analysis exposes a set of deeply entrenched habits that cybercriminals can exploit with minimal effort. More than half of all examined passwords - 53% - ended with a digit, while 17% began with one. Nearly 12% contained date-like sequences falling between 1950 and 2030, suggesting that birthdays, anniversaries, and other personally significant years remain stubbornly popular choices. Around 3% included keyboard-walk patterns such as "qwerty" or simple numeric strings like "1234".
Special characters, often added in the belief they improve security, follow an equally predictable distribution. Among passwords containing a single symbol, the "@" sign appeared in 10% of cases - the most common by a wide margin. A full stop followed at 3%, and the exclamation mark ranked among the most frequently used special characters across the entire dataset. When a symbol is appended to a familiar word purely to satisfy a complexity requirement, it adds far less protection than the user assumes.
Alexey Antonov, Kaspersky's data science team lead, explained why these patterns are so consequential: "When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically." Brute-force attacks work by systematically testing character combinations, and any predictability narrows the search space significantly. The fewer combinations an attacker must try, the faster a password falls.
Length Matters - But Only When Combined With Randomness
Password length is widely cited as the single most effective security variable, and the Kaspersky data reinforces that view - with an important caveat. Passwords of eight characters or fewer could typically be cracked in under a day. Yet length alone is not sufficient protection. AI-powered cracking tools were able to break more than 20% of 15-character passwords in under a minute when those passwords followed predictable structures. A long password built from a recognisable phrase, a favourite word with a trailing number, or a substitution pattern - replacing "a" with "@", for instance - provides far less security than its character count might suggest.
The overall figures are stark. According to Kaspersky's findings, 60.2% of all analysed passwords could be cracked within an hour, and 68.2% within a day. These are not worst-case estimates - they reflect the actual passwords people chose and used on real accounts across real breaches.
Antonov's advice moves beyond the standard "add a capital letter and a number" guidance that has dominated security messaging for two decades. He recommends constructing passphrases from several unrelated words, supplemented with internal numbers, symbols, and deliberate misspellings - an approach that increases both length and unpredictability simultaneously. "The longer and more random and unpredictable the password is, the harder it is to crack," he said.
Internet Culture Has Started Shaping Password Choices
One of the more unexpected findings concerns the influence of viral online culture on password behaviour. The word "Skibidi" - originating from a YouTube animation series that became a widespread internet phenomenon - appeared in passwords 36 times more frequently in 2026 than in 2023. That single data point illustrates a broader dynamic: as certain words saturate online conversation, they migrate into passwords, making them far easier to guess for anyone familiar with the same cultural landscape.
Positive and aspirational language dominates password vocabulary. Words such as "love", "magic", "friend", "angel", "star", and "eden" appeared frequently across the dataset. Negative terms - "hell", "devil", "nightmare", "scar" - were present but less common. Neither category offers meaningful security. Dictionary-based attacks, which test common words before moving to random combinations, are specifically designed to exploit this tendency.
What Secure Password Practice Actually Looks Like
Kaspersky's recommendations align with current best-practice consensus across the cybersecurity field. A genuinely secure password should:
- Contain at least 16 characters
- Use random, non-repeating combinations of letters, numbers, and symbols
- Be unique to each account - never reused across services
- Be generated by a dedicated password manager or generator rather than constructed manually
Two-factor authentication adds a critical second barrier. Even a compromised password cannot unlock an account if the attacker cannot also supply a time-sensitive code sent to a separate device. Security experts have increasingly pointed to passkeys - cryptographic credentials stored on a device and never transmitted to a server - as a longer-term alternative to passwords altogether, removing the human construction problem from the equation entirely.
Password managers address the core tension that has always undermined security advice: truly random, unique passwords are impossible to memorise at scale. A manager generates and stores credentials in an encrypted vault, requiring only a single strong master password from the user. Kaspersky has added a password generation feature to its own management platform as part of the same research initiative.
The underlying problem the data captures is not ignorance but habit. Most users understand, in the abstract, that weak passwords are risky. What the 231 million exposed credentials demonstrate is the distance between awareness and behaviour - and the very real cost of that gap when breaches occur.
