
Over the past year, a series of high-profile incidents—including the breaches of Snowflake and the data leak at SOCRadar.io—have granted cybercriminals access to billions of user accounts. In response, the research team at Cybernews conducted a sweeping analysis of compromised credentials to uncover prevailing password trends in 2025. The findings are far from reassuring.
We are witnessing a widespread epidemic of recycled, weak password combinations. Only 6% of passwords analyzed could be considered truly unique, making the vast majority of accounts vulnerable to dictionary attacks. “For most users, two-factor authentication remains the sole line of defense—and even that only applies if it’s enabled,” notes Neringa Macijauskaite, a cybersecurity expert at Cybernews.
Researchers examined data from approximately 200 breaches, including malware dumps and combo lists circulating online since April 2024. The total dataset exceeded 19 billion records, of which only 1.14 billion were non-redundant.
Their methodology combined open-source intelligence, cyber forensics, and technical automation. Custom dictionaries were developed to classify password elements, while Python and Bash scripts were used to analyze password length, character composition, and special symbol usage.
The original dataset, exceeding three terabytes, contained information sufficient for account hijacking and identity theft. After rigorous filtering and anonymization, the dataset was reduced to 213 gigabytes. Researchers emphasized that attackers gain access not only to passwords but also to associated email addresses and sensitive personal data.
The analysis revealed that 42% of users opt for passwords between 8 and 10 characters in length, with 8-character passwords being the most common. Nearly 27% of all passwords consisted solely of lowercase letters and digits. The infamous numeric sequence “1234” appeared in 727 million instances, while its longer counterpart “123456” was found in 338 million records.
The use of default or overly simplistic passwords remains a critical vulnerability. Combinations like “password” and “admin” occurred 56 and 53 million times respectively, indicating widespread reliance on easily guessable credentials, Macijauskaite explains. Many users either never change default settings or deliberately replicate these combinations across multiple services.
Personal names ranked second among the most frequently used elements in password creation. By cross-referencing with the top 100 baby names of 2025, analysts found that such names appear in 8% of all passwords. Leading the list is the name Ana, present in nearly 179 million instances—though some occurrences stem from words like “banana,” used 3.7 million times.
Users often turn to positive associations for inspiration. The word “love” was found in 87 million passwords, followed by “sun” (34 million), “dream” (6.1 million), “joy” (6.9 million), and “freedom” (2 million). Pop culture has also left its mark: Mario appeared in 9.6 million combinations, Batman in 3.9 million, Thor in 6.2 million, and Elsa from Frozen in 2.9 million.
Profanity, too, remains common. The string “ass” appeared in 165 million passwords, often due to its presence in words like “pass” and “password.” Other explicit terms—such as “fuck” (16 million), “shit” (6.5 million), “dick” and “bitch” (3.2 million each)—were also frequently encountered.
Nature and geography offered additional sources of inspiration. “Rome” appeared in 13 million combinations. Among animals, the lion led with 9.8 million appearances, followed by the fox at 7.8 million. “Summer” was included in 3.8 million passwords, and Monday was the most frequently used day of the week (800,000 entries).
As for months, May topped the list with 28 million appearances, followed by April at 5.2 million. Culinary references were also widespread: “tea” appeared in 36 million passwords, “apple” in 10.7 million, “rice” in 4.9 million, “orange” in 3.6 million, and “pizza” in 3.3 million.
Commercial brand names featured prominently as well: Google was present in 25.9 million passwords, followed by Facebook (18.7 million) and Kia (12.7 million). Common professional terms included “boss” (10 million), “hunter” (6.6 million), and “cook” (4.2 million). Among U.S. states, Carolina led with 1.9 million appearances, followed by Dakota (1.2 million) and Texas (1.1 million).
There is, however, a glimmer of hope: the quality of password practices has seen modest improvement in recent years. In 2022, only 1% of passwords contained all character types—lowercase and uppercase letters, numbers, and special symbols. That figure has since climbed to 19%. Still, experts warn that repeated use of the same combinations poses a grave risk: the compromise of one account can trigger a domino effect across others.
Attackers now employ automated tools to test stolen credentials across multiple platforms. Despite seemingly low success rates of 0.2% to 2%, the sheer volume of data means thousands of accounts can still be breached with ease.
According to Enzoic, weak passwords were responsible for 30% of ransomware infections in 2019—a trend that continues today. Once inside a system, attackers often require little technical skill to escalate privileges and deploy malware, resulting in outages and financial loss.
Analysts recommend using password managers, creating unique combinations of at least 12 characters with mixed character types, and enabling multi-factor authentication. Organizations should conduct regular security audits, monitor leaks in real time, and implement modern hashing algorithms. Special attention should be given to access controls and security policies mandating complex passwords of no fewer than 16 characters.