Passwords are outdated, and it’s time for both tech companies and users to move on. There, I said it. Like it or not, the weakest link in cybersecurity is anything that relies on human input. While organizations continue to invest in firewalls and endpoint security, the most persistent vulnerability remains the human password.

The internet has long struggled with poor password practices, but a recent discovery highlights just how serious the problem is. 

Security researchers have uncovered more than 19 billion newly leaked passwords, collected from hundreds of breaches between April 2024 and April 2025. An astonishing 94% of these passwords were either reused, predictable or both.

Join The FREE CyberGuy Report: Get my expert tech tips, critical security alerts and exclusive deals — plus instant access to my free Ultimate Scam Survival Guide when you sign up!

What you need to know

Between April 2024 and April 2025, data from nearly 200 separate cybersecurity incidents became publicly available, as discovered by Cybernews. These were not isolated events. They involved massive leak repositories including combolists, stealer logs and compromised databases. In total, over 3 terabytes of raw leaked data were analyzed, comprising more than 19 billion passwords. Only 6 percent of these, just over 1.1 billion, were unique.

Among the most used passwords, “123456” appeared in over 338 million instances. Words like “Password” and “admin” followed close behind, despite years of public warnings. Such defaults often originate from devices like routers or enterprise tools, where they are rarely changed and frequently reused elsewhere.

1.7 BILLION PASSWORDS LEAKED ON DARK WEB AND WHY YOURS IS AT RISK

Personal names remain a common pattern as well. The name “Ana” appeared in nearly 179 million passwords, followed by countless other first names and name-based combinations. Pop culture, food, cities and even swear words were frequent themes. Words like “Mario,” “love,” “pizza,” “Rome” and various profanities were not just creative choices. They are now security liabilities.

Even worse, attackers do not need to guess anymore. They have automation. Credential stuffing tools now run through billions of known passwords across hundreds of platforms, breaching accounts at success rates as high as two percent. That equates to thousands of compromised profiles, bank accounts, emails and cloud tools every single day.

200 MILLION SOCIAL MEDIA RECORDS LEAKED IN MAJOR X DATA BREACH

The bigger problem

According to CyberNews researcher Neringa Macijauskaite, the core issue is not just weak passwords but how often they are reused. Only six percent of passwords are unique. For most users, security depends entirely on two-factor authentication, if it is enabled at all.

Most passwords fall between eight to 10 characters, with eight being the most common. Around 27 percent of them contain only lowercase letters and digits, making them highly vulnerable to brute force attacks. Less than 20 percent use a mix of cases and numbers, and only a small fraction includes symbols.

HOW SECURE IS MY PASSWORD? USE THIS TEST TO FIND OUT

Despite widespread education efforts, user habits remain stagnant, but one positive trend has emerged. In 2022, only one percent of passwords used a mix of lowercase, uppercase, numbers and symbols. Now that figure has grown to 19 percent, likely driven by stricter password requirements across platforms.

Get a free scan to find out if your personal information is already out on the web.

HR FIRM CONFIRMS 4M RECORDS EXPOSED IN MAJOR HACK

A password manager is the solution

Reused or weak passwords pose a massive threat, not just to individuals but to organizations. A single compromised password can trigger a domino effect, exposing multiple accounts across services. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed Password Managers of 2025 here.

Four ways to stay safe from password-stealing scammers

Protecting your data requires a mix of smart security habits and reliable tools. Here are four effective ways to keep your information safe.

1. Enable two-factor authentication (2FA): Even if your password is stolen, 2FA adds an extra layer of security by requiring a second form of verification, such as a code from an authentication app or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break into accounts, but with 2FA enabled, they cannot gain access without the additional security step. Make sure to enable 2FA on important accounts like email, banking and work-related logins.

2. Use strong antivirus software and be cautious with downloads and links: Infostealer malware is the root cause of why your password is out there. It often spreads through malicious downloads, phishing emails and fake websites. Avoid downloading software or files from untrusted sources, and always double-check links before clicking them. Attackers disguise malware as legitimate software, game cheats or cracked applications, so it is best to stick to official websites and app stores for downloads.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.

3. Keep software updated: Cybercriminals exploit outdated software to deliver malware. Keeping your operating system, browsers, and security software up to date ensures that known vulnerabilities are patched. Enable automatic updates whenever possible, and install reputable antivirus or endpoint protection software that can detect and block infostealer threats before they compromise your system.

4. Consider a personal data removal service: These services can help remove your personal information from data broker sites, reducing your risk of identity theft, spam and targeted scams. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here.

SUBSCRIBE TO KURT’S YOUTUBE CHANNEL FOR QUICK VIDEO TIPS ON HOW TO WORK ALL OF YOUR TECH DEVICES

Kurt’s key takeaways 

When it comes down to it, passwords just aren’t cutting it anymore. The sheer number of leaked passwords and the fact that so few are unique show how vulnerable we really are. Cybercriminals are getting smarter and faster, but we don’t have to make it easy for them. By using password managers, enabling two-factor authentication, keeping our software updated and considering extra privacy tools, we can take back some control over this situation. It might take a little effort to change old habits, but the peace of mind you get is worth it.

How many of your accounts use the same password or a variation of it? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.