ISLAMABAD: An analysis of 231 million unique passwords leaked between 2023 and 2026 has revealed several alarming patterns, according to a report by a cybersecurity company.
Firstly, 68 percent of modern passwords can be cracked within a day. Secondly, the vast majority of compromised passwords either begin or end with a digit — a common habit that makes them vulnerable to brute-force attacks.
Thirdly, users often rely on positive or trending words in their passwords. For example, the use of the word “Skibidi” in analyzed passwords increased 36-fold over the past few years, reflecting the rise of an internet trend.
“In recent years, secure password rules have become a widely discussed topic. More and more services now require passwords that are at least 10 characters long, include an uppercase letter, and contain a number or symbol. Yet a comparative analysis of leaked passwords from recent years shows that even following some of these rules does not guarantee protection against brute-force or AI-driven attacks,” the report noted.
“Among leaked passwords containing only one symbol, the ‘@’ sign is the most common, appearing in 10 percent of cases. The next most common symbol is a dot (.), found in 3 percent of passwords. Numbers also follow predictable patterns: 53 percent of examined passwords end with digits, 17 percent begin with digits, nearly 12 percent contain a numeric sequence resembling a date (from 1950 to 2030), and 3 percent include keyboard sequences such as ‘qwerty’ or ‘ytrewq’. However, the most commonly used patterns are numeric sequences like ‘1234’,” the report stated.
Alexey Antonov, Data Science Team Lead at the cybersecurity company, noted that commonly used symbols, numbers, or dates — especially when placed in obvious positions such as the beginning or end of a password — significantly simplify brute-force attacks for cybercriminals.
“That is why it is highly recommended to use less common characters and avoid numeric or keyboard sequences. Brute-force attacks work by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favor, the time required to crack a password drops dramatically. To avoid choosing predictable symbols, users should rely on dedicated password generators that create random combinations of letters, numbers, and symbols with equal probability,” Antonov said.
The research also showed that emotional and trending words are frequently used as the basis for passwords. Positive words such as “love”, “magic”, “friend”, “team”, “angel”, “star”, and “eden” appeared regularly in leaked passwords and were far more common than negative words. However, words such as “hell”, “devil”, “nightmare”, and “scar” were also found.
The report revealed that short passwords of up to eight characters are typically cracked through brute-force attacks in less than a day. However, due to AI-powered smart algorithms, more than 20 percent of 15-character passwords can now be broken in under a minute.