Cybersecurity company Kaspersky says nearly 68% of modern passwords can be cracked within a day, according to new research analyzing 231 million leaked passwords collected between 2023 and 2026.
The study highlights growing concerns over weak password habits and the increasing effectiveness of AI-driven cyberattacks. Researchers found that many users continue to rely on predictable patterns, including common symbols, dates, keyboard sequences and trending words, making passwords easier for attackers to break.
Kaspersky said 60.2% of all analyzed passwords could be cracked within an hour, while even some longer passwords remained vulnerable if they followed familiar structures.
Common password patterns remain widespread
The research found that most compromised passwords either begin or end with numbers. Around 53% ended with digits, while 17% started with numbers. Nearly 12% included date-like sequences between 1950 and 2030.
Keyboard combinations such as “1234,” “qwerty” and similar sequences also remained common in leaked credentials.
Among passwords containing only one special character, the “@” symbol appeared most frequently, showing up in around 10% of cases. A period (.) was the second most common symbol.
Researchers also found users frequently included positive or trending words in passwords. Common examples included “love,” “magic,” “angel,” “team,” and “star.” The study also noted a sharp rise in passwords containing the word “Skibidi,” reflecting internet culture trends over recent years.
AI tools are changing password security risks
According to Kaspersky, traditional password rules such as adding one uppercase letter or a number may no longer provide enough protection against modern attacks.
Alexey Antonov, Data Science Team Lead at Kaspersky, said predictable placement of numbers and symbols significantly reduces the time needed for brute-force attacks.
He recommended using randomly generated passwords rather than manually creating passwords based on familiar patterns or words.
The company said short passwords with up to eight characters are often cracked in less than a day, while some 15-character passwords can also be broken within minutes if they follow predictable formats.
Experts recommend longer and more random passwords
Kaspersky advised users to create passwords with at least 16 characters using a mix of random letters, numbers and symbols. The company also recommended avoiding reused passwords across multiple accounts.
Researchers suggested using passphrases made up of unrelated words combined with symbols, numbers and intentional misspellings to improve security.
The study also encouraged enabling two-factor authentication (2FA) and using password management tools to securely store and generate unique credentials.
Also read: Kaspersky survey flags cybersecurity gaps and shadow IT risks in Pakistan workplaces
Today's E-Paper