What happened
Cybernews has revealed that over 19 billion passwords have been exposed through more than 200 data breaches since April 2024. The investigation found that only 6% of passwords in the leaked dataset were truly unique. The rest were riddled with reused logins, dictionary words, and predictable patterns like ‘123456’ (used 338 million times) and ‘password’ (used 56 million times).
Going deeper
The leaked credentials paint a grim picture of digital hygiene. In addition to default passwords like ‘admin,’ the Cybernews team discovered that nearly one-third of all passwords relied only on lowercase letters and digits, and 8% included common names. Even curse words showed up frequently, over 16 million times, with the F-word topping the list.
Information security researcher Neringa Macijauskaitė said, “The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets.” Worse yet, many of these weak passwords are easy targets for dictionary attacks, where hackers use precompiled lists of words to guess credentials in seconds.
Out of the entire dataset, only about 1 billion passwords were strong enough to resist these brute-force tactics, leaving the overwhelming majority of users highly vulnerable.
What was said
“We’re facing a widespread epidemic of weak password reuse,” Macijauskaitė added. “Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication—if it’s even enabled.”
In the know
To stay safe, users must adopt longer, complex, and unique passwords for each account. Best practices include:
- Using 14–18 character passwords with a mix of upper/lowercase letters, numbers, and symbols
- Relying on password managers to store credentials securely
- Enabling multi-factor authentication wherever possible
- Avoiding default credentials or anything remotely guessable
FAQs
What makes a password vulnerable to attacks?
Passwords that use simple words, predictable patterns (like "123456"), or reused logins are easily cracked using automated tools like dictionary or brute-force attacks.
How do hackers typically obtain large sets of passwords?
Hackers exploit security flaws in websites or services to steal user data, often selling or dumping these credentials on dark web forums and hacking platforms.
What’s the risk if one of my passwords gets leaked?
If a reused password is exposed, attackers can gain access to other accounts you use, including email, banking, or healthcare platforms, leading to identity theft or financial fraud.
Are password managers safe to use?
Yes, reputable password managers use strong encryption and are far safer than storing passwords in browsers or reusing them across sites.
Can two-factor authentication fully protect me?
While not foolproof, two-factor authentication significantly reduces your risk, even if your password is leaked, by requiring a second form of verification.
Farah Amod
