To mark the occasion of World Password Day, Kaspersky experts analysed 231 million unique passwords in major password leaks from 2023 to 2026, and uncovered several key patterns. First, 68% of modern passwords can be cracked within a day. Second, it turned out that the vast majority of compromised passwords either begin or end with a digit – a common pattern that makes them potentially vulnerable to brute force attacks. And third, users also favour positive and trending words; for example, over the past couple of years, use of the word “Skibidi” in analysed passwords surged 36 times, mirroring the rise of that Internet trend.
In recent years, secure passwords’ rules have become a widely discussed topic. More and more services now demand passwords that are at least 10 characters long, include an uppercase letter, and contain a number or a symbol. Yet a comparative analysis of leaked passwords from the past few years shows that even following some of those rules does not guarantee resistance to brute‑force or AI‑driven attacks.
Kaspersky experts share practical advice on how to make passwords more complex and secure, and how not to repeat common mistakes.
Be creative with using symbols and numbers
Among the leaked passwords that contain just one symbol, the “@” sign tops the list, appearing in 10% of cases. The next most common symbol is a dot (.), found in 3% of passwords. Among all analysed passwords “@” takes second place in terms of prevalence, and in third place is “!”.
Numbers also follow similarly predictable patterns:
- 53% of examined passwords end with digits;
- 17% begin with digits;
- Nearly 12% include a numeric sequence that resembles a date (from 1950 to 2030);
- 3% of leaked passwords include keyboard sequencies like “qwerty” or “ytrewq”, but most of them are digital sequencies like “1234”.
Alexey Antonov, Data Science Team Lead at Kaspersky, notes that commonly used symbols, numbers, or dates – especially when placed in obvious positions (such as at the beginning or end of a password) – significantly simplify brute force attacks for cybercriminals. That’s why it’s highly recommended to give preference to less popular characters, and avoid numeric or keyboard sequences.
“Bruteforce works by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically. To avoid the temptation of choosing predictable symbols, entrust password creation to dedicated generators that produce random letters, numbers, and symbols with equal probability”, says Alexey Antonov.
Between… Eden and hell: Try to avoid using words in a password
The research shows that emotional and trending words frequently become the basis for a password. For example, from 2023 to 2026 the use of the word “Skibidi” in passwords increased 36 times – mirroring the rapid rise of that Internet trend.
Kaspersky experts have also conducted analysis of the occurrence of positive and negative words in passwords, and it turned out that there are more positive ones. Among those regularly appearing are positive words like “love”, “magic”, “friend”, “team”, “angel” and “star”, “eden”. Interestingly, positive words are much more common than negative ones. However, words like “hell”, “devil”, “nightmare” and “scar” also occur.
“Using a single‑word password, even with a trailing number or a special character, is a weak choice. The pattern is too predictable, making it easy for attackers to guess. Instead, craft a passphrase that strings together several unrelated words, each supplemented with internal numbers and symbols, and sprinkle in a few intentional misspellings. The longer and more random and unpredictable the password is, the harder it is to crack. As an additional way to protect yourself, enable two-factor authentication (2FA) wherever possible,” recommends Alexey Antonov.
Is password length important?
It’s well known that longer passwords are harder to crack, and the analysis of leaked passwords confirms this principle. However, with the rise of AI driven tools, length alone no longer guarantees security: even lengthy passwords can be compromised if they follow predictable patterns.
The research shows that short passwords of up to eight characters that appeared in the leak are typically cracked by brute force attacks in under a day. However, thanks to AI-powered smart algorithms, more than 20% of 15-character passwords can be broken in less than a minute.
How password length affects hack rates: results based on a single 5090 GPU and MD5 algorithm.
What’s more 60.2% of all analysed passwords – regardless of length – can be cracked in about an hour; 68.2% – in a day.
In the examples provided, the calculations assume a single RTX 5090 GPU and the MD5 algorithm. In real‑world scenarios, attackers can rent multiple GPUs – ten, a hundred, or even more. Under such conditions, the cracking rate would increase potentially by several orders of magnitude.
In modern terms, truly secure passwords not only meet the gold standard of 16+ characters, but also consist of random, non-repeating letters, numbers, and symbols, and are unique for each account. To help users create such passwords, Kaspersky has added a password generation feature to the Kaspersky Password Generator website. Now users can not only check their passwords for leaks, but also generate secure passwords for free.
For easy and secure password management, auto-fill, and cross-device synchronisation consider using a password manager in which all credentials are stored in a secure vault and protected by a single master password. This eliminates the need to remember hundreds of passwords while keeping them safe from breaches. What’s more, not only passwords, but also passkeys can be created and stored directly in Kaspersky Password Manager, which allows not only to sign in to supported services with a single tap, but also to access passkeys on all devices owing to secure synchronisation.
