A study by Cybernews has revealed a shocking cybersecurity reality: only 6% of passwords used online are unique — meaning they are used for just one account.
The study, which analyzed data from 19 billion leaked passwords between April 2024 and April 2025, also revealed other alarming facts. For example, the majority of users (42%) use passwords that are 8 to 10 characters long.
“We’re facing a widespread epidemic of weak password reuse,” explained Neringa Macijauskaitė, cybersecurity researcher at Cybernews.
“Only 6% of passwords are unique, which makes users highly vulnerable to dictionary attacks [when hackers try common words until they find the right match]. For most users, their security relies on two-factor authentication — if it’s enabled.”
The research also showed that about 27% of passwords used only lowercase letters or numbers, while the numeric password “1234” appeared in 4% of all analyzed passwords — totaling over 700 million.
The word “Password” also appeared frequently, and first names were among the most common elements. According to the study, around 1% of passwords contained the name “Ana.”
To better protect passwords, Cybernews recommends using password managers such as Google Password Manager and avoiding the reuse of the same password across multiple services.
Additionally, it’s ideal to create a password that is at least 12 characters long; includes both uppercase and lowercase letters, numbers, and special characters; avoids names and birth dates; and enables two-factor authentication for all possible services.
Photo and video: Unsplash. This content was created with the help of AI and reviewed by the editorial team.
