Passwords are outdated, and it’s time for tech companies and users to move forward. There, I said. Like it or not, the weakest connection in cybersecurity is anything humans invest in. While organizations continue to invest in firewall and endpoint security, the most persistent vulnerability remains human passwords.
The Internet has long struggled with password practice, but recent findings highlight the severity of the problem.
Security researchers have discovered more than 19 billion newly leaked passwords that were collected from hundreds of violations between April 2024 and April 2025. 94% of these passwords are reused, predictable or both.
Join the free web Guy report: Get my expert tech tips, critical security alerts and exclusive deals – plus access to my free final scam survival guide when I sign up!
Illustration of hacker at work. (Kurt “Cyberguy” Knutsson)
What you need to know
Between April 2024 and April 2025, data from nearly 200 separate cybersecurity incidents are publicly available, as found Online News. These are not isolated incidents. They involve a large number of leaked repositories, including groupers, stealer logs and compromise databases. In total, more than 3 original leaked data were analyzed, including more than 19 billion passwords. Only 6% of them, just over 1.1 billion, are unique.
Among the most commonly used passwords, “123456” appears in over 338 million instances. Despite years of public warnings, words like “password” and “admin” followed closely. These default values are often from devices such as routers or enterprise tools, which are rarely changed on these devices and are often reused elsewhere.
1.7 billion passwords leaked on the dark web, why your password is in danger
Personal names are still a common pattern, too. The name “ANA” appears with nearly 179 million passwords, followed by countless other names and name-based combinations. Pop culture, food, city, and even oath words are common topics. Words like “Mario,” “love,” “pizza,” “roman,” and various blasphemy are not just creative choices. They are now responsible for safety.
Worse, the attacker no longer needs guessing. They have automation. The Credential Filler Tool now runs billions of known passwords on hundreds of platforms, violating accounts with a success rate of up to 2%. This is equivalent to having thousands of compromise profiles, bank accounts, emails and cloud tools every day.
Illustration of hacker at work. (Kurt “Cyberguy” Knutsson)
200 million social media records leaked in major X data breach
A bigger problem
According to online news researcher Neringa Macijauskaite, the core issue is not only the weaker password, but the frequency of reuse. Only 6% of passwords are unique. For most users, security depends entirely on Two-factor authenticationif fully enabled.
Most passwords range from 8 to 10 characters, with 8 of them being the most common. About 27% of these people only contain lowercase letters and numbers, making them very vulnerable to brute force attacks. Less than 20% of cases and numbers are mixed together, and only a small percentage includes symbols.
How secure is my password? Use this test to find out
Despite extensive education, user habits remain stagnant, but a positive trend emerges. In 2022, only 1% of passwords use a mix of lowercase, uppercase, numbers and symbols. Now, that number has grown to 19%, which is probably driven by stricter password requirements on the platform.
Get one Free scan Find out if your personal information is already on the Internet.
Illustration of hacker at work. (Kurt “Cyberguy” Knutsson)
HR firm confirms 4 million records exposed in major hackers
Password manager is the solution
Reusing or weak passwords poses a huge threat, not only to individuals but to organizations. A single compromised password can trigger the domino effect, revealing multiple accounts in the service. Consider using Password Manager Generate and store complex passwords. Get more details about me Best Expert Review Password Manager for 2025.
Four ways to keep avoiding password stealers
Protecting data requires intelligent security habits and reliable tools. These are four effective ways to ensure information security.
1. Enable Two-Factor Authentication (2FA): Even if your password is stolen, 2FA Additional security layers are added by requiring a second form of verification, such as code for authentication applications or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break down their accounts, but with 2FA enabled, they are inaccessible without additional security steps. Make sure to enable 2FA on important accounts such as email, banking, and work-related logins.
2. Use powerful antivirus software and be cautious on downloads and links: InfoStealer malware is the root cause of your password. It is usually spread through malicious downloads, phishing emails, and fake websites. Avoid downloading software or files from untrusted sources and always double-check the links before clicking them. Attackers mask malware as legitimate software, games cheat or cracked apps, so it’s best to stick to official websites and app stores for download.
The best way to protect yourself from installing malware (malicious links that may access private information) is to install powerful antivirus software on all devices. This protection can also remind you about phishing email and ransomware scams, ensuring your personal information and digital assets are secure. The choice of the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
3. Keep the software updated: Cyber criminals use outdated software to provide malware. Keep the operating system, browser and security software up to date Make sure to fix known vulnerabilities. Enable automatic updates whenever possible and install reputable antivirus or endpoint protection software that detects and blocks InfoStealer threats before damaging your system.
4. Consider personal data deletion services: These services can help you remove your personal information from your data brokerage website, reducing the risk of identity theft, spam, and target scams. While there is no service that guarantees complete deletion of data from the Internet, a data deletion service is indeed a wise choice. They are not cheap, nor are your privacy. These services provide you with all your work by actively monitoring and systematically deleting your personal information from hundreds of websites. This is where I feel at ease and proves to be the most effective way to delete your personal data from the internet. By limiting the available information, you can reduce the risk of cross-references of data from fraudsters in violations and find information on the dark web, making it harder for them to target you. Check out my preferred data deletion service here.
Subscribe to Kurt’s YouTube channel for quick video tips on how to use all your tech devices
Kurt’s key points
When it comes to it, the password is no longer deleted. There are numerous leaked passwords and few unique facts that show our true vulnerability. Cybercriminals are getting smarter and faster, but we don’t have to make it easy for them. By using Password Manager, we can enable two-factor authentication, keep our software updated and take into account additional privacy tools, we can restore control over this situation. Changing old habits may take a little effort, but the peace of mind you get is worth it.
Click here to get the Fox News app
How many accounts have you used the same password or a variation of it? Let’s write to us cyberguy.com/contact
For more technical tips and security alerts for me, please subscribe to my free online reporting newsletter cyberguy.com/newsletter
Ask Kurt a question, or let us know what stories you want us to cover.
Follow Kurt on his social channels:
Answers to the most popular web guess questions:
New things from Kurt:
Copyright 2025 CyberGuy.com. all rights reserved.
