At The Tech Boomer, we’re always advocating for smarter, safer tech use – and a new study from Cybernews shows we’ve still got a long way to go when it comes to password habits. Researchers analyzed over 19 billion stolen passwords leaked between April 2024 and April 2025, and the results are, well, “Houston, we have a problem.”
The Password Problem Is Worse Than Ever
According to the report, published here, out of nearly 20 billion passwords, only 6% were unique. That means 94% of users reused the same passwords or slightly modified versions. Favorites like “123456,” “password,” and “admin” are still dominating – despite years of warnings.
Even worse? These simplistic passwords weren’t just one-offs. “1234” alone was found in 727 million passwords. And names – like “Ana” – were the second most common password ingredient, showing up in millions of them. This means that people are still picking passwords that are easy to remember, which makes them easy to guess.
A Bonanza For Criminals
This data wasn’t scraped from thin air. It came from over 200 confirmed data leaks and breaches, including hacked platforms, malware-stealer logs, and leaked credential dumps – all publicly available and weaponized by cybercriminals.
The impact is significant. When attackers get their hands on these password dumps, they launch credential stuffing attacks, where bots automatically try stolen credentials across thousands of websites. Even with a low success rate (0.2%–2%), these attacks are highly profitable – imagine trying a million logins and unlocking thousands of accounts.
Among the three websites that I manage, I get hundreds of attacks weekly. And they all fail. Why? Because I use long, strong, unrememberable passwords.
What Makes a Weak Password?
Cybernews broke down common patterns:
42% of users stick to 8–10 character passwords, with 8 characters being the most popular.
27% used only lowercase letters and digits – no caps, no symbols.
Swear words, names, cities, animals, and pop culture terms (like “Batman” or “Elsa”) were shockingly common.
“Ana,” “love,” “pizza,” “Rome,” and “lion” are just a few of the most reused keywords.
These choices might feel personal or memorable – but attackers know that too. Their tools are built around these exact tendencies.
A Small Sign of Hope
There’s one silver lining: 19% of passwords now include a mix of upper and lowercase letters, numbers, and symbols. That’s a jump from just 1% back in 2022. Stricter requirements from platforms seem to be nudging behavior in the right direction – but there’s still a long way to go.
So, What Can You Do?
Here at The Tech Boomer, we always recommend tech that works for you, not against you. If you’re still relying on “123456” or your cat’s name, here’s what to do:
1. Use a password manager – These tools generate and store strong, unique passwords for every site. No more remembering dozens of logins. I recommend 1Password, that’s what I use. For a comprehensive review of the most popular password managers, click here.
2. Enable multi-factor authentication (MFA) – Always. It’s the best backup if a password gets exposed. If you’re not sure what MFA (also referred to as 2FA – 2-factor authentication), click here.
3. Create strong passwords – Shoot for 12+ characters, include symbols, and avoid anything predictable (like your birthday or favorite superhero). I just had 1Password create an example password, this is what it created: “ZDK0djg_mxg7dke4yud.” And no, you can’t remember that. That’s why you use a password manager.
4. Never reuse passwords – One breach shouldn’t compromise all your accounts. Would you want one key to be able to open every lock, including your house, cars, etc.?
5. Stay alert – Watch for news of data breaches and reset your passwords if you’re affected. And be aware, the sites that have been compromised aren’t really fond of telling you that they have been breached.
And it’s not really necessary to change your password every so often. I have one website that forces a password change every 6 months. That’s not needed. If you have a strong, unguessable password, it’s unnecessary to change it, that is, unless it’s been compromised.
And if you want to check a password to see how strong it is, use Steve Gibson’s Password Haystacks.
Passkeys
Passkeys are quickly replacing passwords. I personally have converted a few websites over to passkeys.
What is a passkey? Stay tuned, I’ll be publishing an article on them in the next few days.
The Bottom Line
Passwords aren’t just annoying – they’re your first line of defense. And when 94% of users reuse weak ones, it’s no wonder cyberattacks keep climbing.
If there’s one takeaway from this massive study, it’s this: password habits must change. Whether you’re managing one email or a dozen online accounts, your digital safety depends on it.
So let’s get smarter, Boomers—one secure password at a time.
