Cybernews looked at over 19 billion passwords published between April 2024 and April 2025 and discovered that only 1,143,815,266 were different, so 94% appeared more than once and the same flimsy locks guard millions of accounts.
The string 123456 showed up 338,000,000 times, while 1234 shows in about 727,000,000 cases, keeping a pattern first logged in 2011 alive; password and admin guard a combined 109,000,000 profiles because many gadgets leave the factory set to those words and owners rarely change them.
With everyday language, Ana appears in nearly 179,000,000 entries, Mario in 9.6 million, Batman in 3.9 million, pizza in 3.3 million, and the crude term ass surfaces 165,000,000 times thanks to pass and password, proving that familiarity still beats caution when people pick secret strings.
Why Do Short Passwords Help Criminals?
Cybernews reports that 42% of all entries hold between 8 and 10 characters, with exactly 8 the favourite length, and 27% use only lowercase letters and digits, while nearly 20% mix cases and numbers but ignore symbols, leaving automated cracking tools a narrow search space.
Brute-force scripts then feed these pairs into banking, shopping and gaming sites; a success rate of 0.2% appears tiny, although millions of trials translate into thousands of hijacked profiles.
There is modest progress, because 19% of unique passwords now blend upper and lower case letters, digits and symbols, up from 1% in 2022, a change tied to stricter length and composition rules on popular websites.
How Are Passkeys Changing Everyday Sign Ins?
Microsoft celebrated World Passkey Day on 1 May, which is popularly known for World Password Day, joined the FIDO Alliance pledge and said roughly 1 000 000 new passkeys register on its services each day, adding to more than 15 billion online profiles already ready for the method.
A passkey never leaves the device… a face scan, fingerprint or local PIN proves identity and unlocks the site, blocking phishing tricks and brute-force code that thrive on typed words.
Users succeed on the first try 98% of the time with a passkey, compared with 32 % for passwords, and the whole process ends eight times faster because nobody must copy a one-time code.
Microsoft has rebuilt its sign in page so the safest choice stored on an account shows first, and every brand new profile starts life without any password field… early data inside the company shows password traffic falling by more than 20%, a welcome drop because its monitoring still records 7 000 password attacks each second, twice the pace seen in 2023.
Cybernews advises letting a password manager craft at least 12-character strings packed with upper and lower case letters, digits and symbols, single-use for every service, alongside multi-factor checks, while workplaces are urged to add strong hashing, regular access reviews and live scans for leaks, cutting the chance that one careless passphrase hands intruders the keys to an entire network.
Experts Share: How Should Startups Protect Their Data?
Our Experts:
Erik Avakian, Technical Counselor, Info-Tech Research Group
Mike Logan, CEO, C2 Data Technology
Huma Shaikh, Consultant, Mitt Arv
David McInerney, Commercial Manager, Data Privacy, Syrenis
Nicholas Genest, President, CodeBoxx
Erik Avakian, Technical Counselor, Info-Tech Research Group
“World Password Day is that time of year that serves as a common reminder and a great opportunity for everyone around the globe that it’s time to do a quick security check-up and make sure we’re all using security best practices and taking the right steps when it comes to keeping all of our various online accounts protected. This means applying best practices such as ensuring passwords are complex, and ensuring no two accounts share a common password.
“But passwords alone are not enough. Passwords, combined with an additional layer of security such as multi-factor authentication (MFA), help thwart simple password attacks and make it much harder for your accounts to get compromised. It’s recommended to apply MFA across all your accounts, or wherever the feature is made available. It’s considered a best practice in cybersecurity and adds that extra layer of account credential protection.
“It’s also important to regularly review account activity and to consider signing up for available identity protection services, which provide an extra layer of awareness and vigilance. These services often include extra features such as online account monitoring and can alert you if any of your account credentials may have been compromised or posted to the dark web. This provides an awareness measure, allowing you to take immediate action, such as changing passwords and applying any extra security features that are available.
Future trends
“Passwords have been around for a long time. From a cultural perspective, most of us have grown accustomed to using them to log in wherever we have an account. What we’re seeing now for some organisations, particularly those with a more forward-thinking culture or ready for such changes, is a shift away from passwords altogether, utilising Passkeys instead. Passkeys provide a more robust level of user security and are really, at least for now, one answer to the password dilemma. Passwords are still prone to attacks, whether by brute force, social engineering, or other means.
“Passkeys, however, remove many of those risks and have become a much more secure alternative. With the prevalence of the use of mobile technologies such as cell phones, the time for moving away from passwords and toward passkeys is ripe for organisations ready to make this change. It might take some time for such a culture shift to blossom.
“But over time, there’s a high likelihood that as more and more people users start using it, it will gain a lot more steam and momentum. The fact that the largest firms are offering these features to their customers is a positive step in that direction.”
More from Cybersecurity
- Co-op Cyber Attack: What Does It Mean For UK Retailers and Consumers?
- Experts Comment: 23andMe Bankruptcy – How To Protect Your Data
- European Cyber Report 2025: 137% More DDoS Attacks Than Last Year
- New Study Shows Cybersecurity Trends In The UK
- INE Security Alert: Using AI-Driven Cybersecurity Training to Counter Emerging Threats
- Experts Comment: What Does Apple’s New Data Protection Laws Mean For UK Consumers?
- How Do Cybercriminals Trick People Through Google Calendar?
- What Are the Top 5 Cyber Attacks?
Mike Logan, CEO, C2 Data Technology
“In their data protection strategies, small businesses and start-ups should prioritise preparing against AI-Driven Attacks:
Organisations need to bear in mind that while AI and Machine Learning will create new opportunities for efficiencies and ways of working, they’re doing the same for cybercriminals. AI and Machine Learning use in cyber-attacks has been on the increase in 2025. Smaller businesses are even more vulnerable, so it’s important for data privacy programmes to be kept up to date so they can respond quickly to new threats. Deepfake phishing and adaptive malware are examples of sophisticated attacks that are now being employed to target organisations faster and more easily. Businesses will need to anticipate these evolving threats by implementing advanced AI-driven cybersecurity measures.
Recommendations
1. “Audit your organisation’s technology. Are you using technology designed for today’s challenges? Security by obscurity will no longer work in today’s interconnected business environment. By the same token, yesterday’s technology will not help your organisation respond to the evolving and complex cybersecurity challenges of today, 2025, or 2030. To protect your organisation, it’s critical that you employ data privacy solutions that are addressing the evolution of cybercrime and have robust roadmaps that proactively prevent data breaches from happening in the first place, rather than just reacting to them.
2. “Ask for help! Automation and AI can help fill the skills gap in your organisation, use it. If your team is not prepared to take on the new challenges that data security presents, don’t risk it. Work with trusted experts who build solutions that can reduce your risk, remove manual efforts, and scale with your organisation. Automate, automate, automate…
3. “Always be evolving. You know your business better than anybody so it is up to your organisation to move along data privacy maturity curve as fast as possible. The more your organisation knows and understands the better positioned your company will be to face the data security challenges ahead.”
Huma Shaikh, Consultant, Mitt Arv
“Startups must prioritise robust data security measures to safeguard their valuable assets. In 2025, embracing passwordless authentication can be a game-changer. This cutting-edge technology eliminates the need for traditional passwords, which are often vulnerable to cyber threats like phishing, brute-force attacks, and social engineering. Instead, passwordless authentication relies on biometric factors (e.g., fingerprints, facial recognition) or possession factors (e.g., mobile devices, security keys) for user verification.
“By adopting this advanced approach, startups can significantly reduce the risk of data breaches, enhance user experience, and foster a more secure digital ecosystem, positioning themselves as industry leaders in data protection.”
David McInerney, Commercial Manager, Data Privacy, Syrenis
“Data encryption is a critical first step in protecting data. Using strong encryption protocols, such as TLS/SSL, ensures information is protected – whether it’s being transmitted over networks or stored on servers. And end-to-end encryption, which ensures data is encrypted from the point of capture to its final destination, provides an additional layer of security.
“Access controls are another essential component. Implementing Role-Based Access Control (RBAC) limits data access based on employees’ roles within the organisation, ensuring that only authorised personnel can access sensitive information. Data minimisation practices should also be adopted to limit the collection of personal data to what is strictly necessary for business purposes. Whenever possible, anonymising or pseudonymising data can significantly reduce risks associated with data breaches.
“And lastly, consent and preference management platforms support data protection by ensuring clear communication and obtaining explicit consent from customers before collecting and using their data. These platforms allow customers to manage their preferences, giving them control over their personal information.”
Nicholas Genest, President, CodeBoxx
“In 2025, startups should think about protecting their data like they are in a Guerilla war. They need to be lean, smart, agile about it in order to remain one step ahead of emerging “breakout threats”.
“Here is an underdog strategy I recommended recently :
“Zero-Trust – Max Clarity: Assume every access request can turn into a breach. Maintain every permission revocable and monitor them.
“Cloud-Native encryption ALWAYS-ON: Encrypt Data at rest, in transit and in use.
“Detect anomalies with AI tools as you monitor the behavior of users. Know your robots and deny access to activities you don’t understand
“Harden Open source fast, don’t let your frameworks linger in the name of pure stability. Worry now to avoid losing your business to a neglected stack.
“Don’t hoard data; design your data models so you’re allowed to delete
“Put Audit Trails everywhere, wherever you can, they’re lightweight and will deter anyone from rewriting history on you.
“Culture over tools. Teach every member of the team that they might be the reason the business goes under. Teach them to evaluate the data they put at risk in everything they do no matter what they do.”
