• Analysis of 231 million leaked passwords reveals widespread patterns that facilitate cyber targeting
• More than two-thirds of weak passwords are cracked in a very short time

An analysis conducted by experts at Kaspersky of more than 231 million leaked passwords between 2023 and 2026 has revealed widespread weaknesses in the ways users create passwords. The findings were released to coincide with World Password Day.

The study found that 68% of recently used passwords can be cracked within just one day. It also showed that most compromised passwords either begin or end with numbers, a common pattern that makes them easier for hackers to exploit using brute-force attacks.

According to researchers, users also tend to rely on popular or positive-sounding words when creating passwords, such as “love,” “magic,” and “angel.” Meanwhile, the term “Skibidi” was found to have increased around 36 times in recent years, reflecting viral internet trends influencing password choices.

The analysis further showed that the “@” symbol is the most frequently used special character in leaked passwords, appearing in around 10% of cases, followed by “.” and then “!”.

It also indicated that 53% of passwords end with numbers, while 17% begin with numbers. About 12% include predictable date ranges between 1950 and 2030.

Alexey Antonov, head of the data science team at the company, said that the predictable use of common symbols and numbers—especially at the beginning or end of passwords—makes them significantly easier for attackers to guess.

He added that brute-force attacks rely on systematically trying all possible combinations until the correct password is found, noting that attackers’ knowledge of user behavior patterns greatly reduces the time needed to break into accounts.

The results also showed that short passwords—those under eight characters—can usually be cracked in less than a day. Meanwhile, artificial intelligence tools are now capable of breaking more than 20% of 15-character passwords in under a minute if they follow predictable patterns.

According to the study, secure passwords today should exceed 16 characters and consist of a random mix of letters, numbers, and unique symbols, with a different password used for each account.

Experts also recommended enabling two-factor authentication and using password manager applications to securely store credentials, rather than relying on easily guessed or reused passwords across multiple accounts.