A sweeping cybersecurity analysis has revealed that more than 19 billion passwords are circulating in the dark corners of the internet, with 94% of them reused or duplicated across multiple accounts-leaving users vulnerable to widespread credential-based attacks. The data, compiled by cybersecurity researchers at Cybernews, highlights persistent user reliance on predictable patterns and a growing epidemic of weak password practices.
The analysis covered over 200 major data breaches between April 2024 and April 2025, exposing 19,030,305,929 real passwords. Despite decades of public awareness campaigns, only 6% of the leaked passwords were unique. Common strings such as "123456" and "password" continue to dominate, with the former appearing in 338 million cases. A further 56 million included the term "password," and 53 million featured "admin."
"Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize," said Neringa Macijauskaitė, an information security researcher at Cybernews. "It's recommended to use at least 12 characters for a password."
The study also revealed that 42% of passwords were only 8-10 characters long, and 27% relied solely on lowercase letters and numbers. While only 1% of passwords used a mix of upper- and lowercase letters, numbers, and symbols in 2022, that figure rose to 19% in the latest data-still well short of what experts consider secure.
Researchers observed that commonly used names, seasonal words, cities, and even curse words made frequent appearances. "Ana" was used in nearly 179 million passwords, while profanity such as "ass" showed up 165 million times, often embedded in longer strings like "password." Pop culture references were also prevalent, with "Batman," "Mario," "Thor," and "Joker" appearing millions of times collectively.
The report warns that such predictable patterns make it easy for hackers to deploy credential stuffing attacks, where stolen usernames and passwords are tested across multiple services. Even a success rate as low as 0.2% can compromise thousands of accounts when billions of credentials are involved.
Paul Walsh, CEO of cybersecurity firm MetaCert, emphasized that SMS phishing is a growing, under-addressed threat vector compounding the issue. "Every phishing message was still delivered," Walsh told Forbes, referring to a March test involving major U.S. mobile carriers. "None were blocked, flagged, or rewritten."
He continued, "Criminals have already moved in full force, and the industry is failing to respond. The cybersecurity industry has no shortage of experts in email security... but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise."
Researchers urge users to adopt password managers, enable multi-factor authentication, and avoid reusing passwords across accounts. Organizations are advised to audit access systems and deploy real-time credential leak detection tools. As Macijauskaitė put it, "We're facing a widespread epidemic of weak password reuse... a breach in one system can compromise the security of other accounts."
