Kaspersky’s latest research reveals that the majority of compromised passwords not only violate password-safety guidelines but also remain unchanged for extended periods, which drastically reduces their security.
Although passwords still remain one of the major authentication methods, they no longer top the security charts. Often crafted by users themselves, passwords are heavily influenced by human factors, which makes them potentially vulnerable.
Kaspersky experts analysed major password leaks from 2023 to 2025 and identified several recurring patterns:
- Users frequently append predictable elements like numbers, dates, and personal identifiers to their passwords. For example, 10% of passwords in datasets analysed contain a number resembling a date (from 1990 to 2025), 0,5% of all leaked passwords end with the number 2024, which is every 200th password!
- The most commonly occurring password combination is ‘12345’, which drastically reduces cryptographic strength and shortens the time required for brute-force attacks to succeed. Among other popular password components are the word ‘love’ and users’ names, as well as countries’ names which are also often included in passwords.
- Moreover, the majority of leaked passwords remain unchanged for years. In 2025, 54% of leaked passwords had already been part of prior data breaches, underscoring widespread reuse of outdated passwords. According to data analysis the average lifetime of the password found in these leaks is 3.5-4 years.
All these findings highlight the critical vulnerability of password-based authentication when protocols for creation, management, and storage are not rigorously followed.
In response to the growing need for robust security, the industry is increasingly shifting its focus toward next-generation solutions like Passkeys, which offer stronger protection against evolving threats.
Passkey technology is based on cryptographic keys and biometrics and is not subjected to threats like phishing or data leaks. A passkey is created for a particular account on a particular platform and is stored directly on the user’s device or in a password manager.