On World Password Day (7 May), Kaspersky experts analyzed 231 million unique passwords from major data leaks between 2023 and 2026, identifying several key trends. Here, then, are some practical tips for creating more complex and secure passwords, avoiding the most common mistakes.
Symbols and numbers
Among the leaked passwords containing only one symbol, “@” is the most used,
appearing in 10% of cases. This is followed by the dot (.), present in 3% of passwords, and “!”, which occupies third place in terms of overall diffusion.
The use of numbers also follows equally predictable patterns:
- 53% of passwords examined end in digits.
- 17% start with numbers.
- Nearly 12% include a number sequence that resembles a date (1950 to 2030).
- 3% of leaked passwords contain keystrokes like “qwerty” or “ytrewq,” but the majority of them are numeric sequences like “1234.”
Alexey Antonov, Data Science Team Lead at Kaspersky, points out that commonly used symbols, numbers or dates, especially if placed in predictable positions, such as at the beginning or end of the password, greatly facilitate brute force attacks. For this reason, it is advisable to use less common characters and avoid numeric sequences or keyboard key combinations.
Don’t use words in your passwords
Research highlights how emotional and trend words are often used as the basis for passwords. For example, between 2023 and 2026, use of the word “Skibidi” (a neologism born from the viral “Skibidi Toilet” meme) increased 36-fold, following its spread online.
A further analysis on the presence of positive and negative words shows that the former are significantly more widespread. Among the most frequent are “love”, “magic”, “friend”, “team”, “angel”, “star” and “Eden”. However, terms such as “hell”, “devil”, “nightmare” and “scar” are also present.
“Using a password composed of a single word, even if accompanied by numbers or symbols, is an unsafe choice: the pattern remains too predictable. It is preferable to create a passphrase composed of several unrelated words, enriched by numbers and symbols and with some intentional spelling errors”, added Alexey Antonov.
Does password length matter?
Longer passwords are known to be harder to crack, and analysis of leaked passwords confirms this. However, with the rise of AI-based tools, length alone is no longer enough: even long passwords can be compromised if they follow predictable patterns.
Research shows that short passwords, up to eight characters, are typically cracked in less than a day via brute force attacks. Additionally, thanks to AI-based algorithms, more than 20% of 15-character passwords can be cracked in less than a minute. Furthermore, 68.2% of all passwords analyzed, regardless of their length, can be cracked in a single day.
In the cases considered, the calculations are based on the use of a single Nvidia RTX 5090 GPU and the MD5 algorithm. However, in real-world scenarios, hackers can use multiple GPUs thus increasing the decryption speed by several orders of magnitude.
Today, a truly secure password not only meets the minimum standard of at least 16 characters, but must also be composed of a random and non-repetitive combination of letters, numbers and symbols, as well as being unique for each account.
How Cybersecurity affects the way people live, work and interact online