With a large password violation, over 19 million are leaked through

Your password is probably Hacker bait.

Cybersecurity researchers have found that 19 billion passwords circulate online – and only 6% of these leaked passwords were unique, which means that they were not reused or duplicated.

Cybernews researchers examined more than 200 data injuries that occurred between April 2024 and April 2025.

Of the 19.030.305,929 real passwords that were exposed online, 94% were completely reused by the same person or from different users.

And the most common passwords were too easy for hackers to decode: 42% were only 8-10 characters long and 27% only contained small letters and numbers without special characters or variation with mixed case.

“Despite years of security education, users still prefer shorter passwords because they are easier to type and learn. It is recommended to use at least 12 characters for a password,” said Neringa Macijauskaitė, information security researcher at cybernews.

One of the main problems is that many people remain on “standard” passwords and lazy, simple keyboard combinations.

The analysis showed that “1234” is used in almost 4% of all passwords, which means that over 727 million passwords use this sequence. When expanding this sequence to “123456”, 338 million passwords use them.

Research also showed that 56 million passwords use the word “password” and 53 million that use “administrator”. “Password” and “123456” have been the most popular passwords since at least 2011.

“The problem” standard password “remains one of the most continuing and dangerous patterns in troubled data sets,” said Macijauskaitė. “The attackers also prioritize and make these passwords the least safe.”

The cybersecurity experts also recommend that you never use passwords in various accounts and websites to keep your information safe.

“We are faced with a widespread epidemic of reuse of weak password,” said Macijauskaitė.

“If you reuse passwords on several platforms, a violation in a system can affect the safety of other accounts and create a domino effect,” warned the researcher. “Attackers are constantly harvesting the latest login information from exposed information stealers and recently cracked hashes that are publicly available.”

The researchers also found that many compromised passwords were strongly based, and Ana was the most popular password name and appeared in 178.8 million passwords.

“Many users choose a name as part of their password. We have linked the data record with the 100 most popular names of 2025 and found that they have a whopping 8% chance that they will be recorded as part of a password,” explains the researcher.

Even curse words were usually used in passwords. For example, 16 million passwords contained the F-word. The top entry, “Ass”, has been found 165 million times – this can be partially explained by the use of “pass” or “password”.

Many also choose passwords that are inspired by positive concepts or pop culture terms. “Positive associations, admired characters and nostalgia familiarize people and are easy to commemorate. However, popularity becomes predictability that attackers are exploited,” said Macijauskaitė.

In order to create strong passwords and increase overall security, the experts suggest taking the following measures:

• Use password managers to create and save clear, strong passwords for every service.
• Never use passwords again.
• Make sure that your password is at least 12 characters and contains capital letters, small letters, numbers and at least one special symbol. Skip words, names, sequences or other recognizable strings. “Complexity beats the length.”
• Activate the multi-factor authentication if possible.
• Check the access controls regularly and carry out regular security audits.
• Monitor and react to login information.
• Forcing guidelines for organizations in which the passwords are at least 12 characters – ideally 16 – with a mixture of capital and small letters, numbers and special characters.