To mark World Password Day, Kaspersky experts analyzed 231 million unique passwords leaked between 2023 and 2026 and found that 68% of modern passwords can be cracked within a day. The research revealed that most compromised passwords begin or end with digits, making them easier targets for brute-force attacks. Trending and positive words are also commonly used in passwords, with the term “Skibidi” appearing 36 times more often over recent years, reflecting internet culture trends, a press release said.
The study showed predictable habits in password creation. Among passwords containing one symbol, “@” appeared most frequently, followed by “.” and “!”. More than half of passwords ended with digits, while 17% started with them. Nearly 12% included date-like sequences, and 3% used keyboard patterns such as “qwerty” or “1234”.
Alexey Antonov, Data Science Team Lead at Kaspersky, notes that commonly used symbols, numbers, or dates – especially when placed in obvious positions (such as at the beginning or end of a password) – significantly simplify brute force attacks for cybercriminals. That’s why it’s highly recommended to give preference to less popular characters, and avoid numeric or keyboard sequences.
“Bruteforce works by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favor, the time required to crack a password drops dramatically. To avoid the temptation of choosing predictable symbols, entrust password creation to dedicated generators that produce random letters, numbers, and symbols with equal probability,” says Alexey.
The research also found that users favor emotional and positive words like “love”, “magic”, “angel”, and “eden”, although negative words such as “hell” and “devil” also appear.
“Using a single word password, even with a trailing number or a special character, is a weak choice. The pattern is too predictable, making it easy for attackers to guess. Instead, craft a passphrase that strings together several unrelated words, each supplemented with internal numbers and symbols, and sprinkle in a few intentional misspellings. The longer and more random and unpredictable the password is, the harder it is to crack. As an additional way to protect yourself, enable two-factor authentication (2FA) wherever possible,” recommends Alexey Antonov.
*The analysis is based on data provided by the Kaspersky Digital Footprint Intelligence service.
