A new study by Kaspersky has found that more than two-thirds of commonly used passwords can be cracked within a day, highlighting ongoing risks from weak password habits and increasingly advanced cyberattack tools.
The cybersecurity company analyzed 231 million leaked passwords from major data breaches between 2023 and 2026 and found that 68.2% could be broken in less than 24 hours. Researchers said predictable patterns, repeated characters and commonly used words continue to make many passwords vulnerable to brute-force and AI-assisted attacks.
The report found that users frequently place numbers at the beginning or end of passwords, making them easier for automated systems to predict. About 53% of analyzed passwords ended with digits, while 17% started with numbers.
Researchers also identified widespread use of keyboard sequences such as “1234” and “qwerty,” along with date combinations and common symbols including “@” and periods.
Trending words and predictable phrases increase risks
Kaspersky said many users continue to build passwords around familiar or emotional words. Frequently appearing terms included “love,” “magic,” “friend,” “angel” and “star.”
The company also observed a significant increase in passwords containing internet trend-related words, including “Skibidi,” which appeared 36 times more often during the study period.
According to the research, longer passwords are not always secure if they follow predictable structures. Kaspersky found that more than 20% of leaked passwords containing 15 characters could still be cracked in under a minute using AI-powered tools.
Experts urge stronger password habits
Alexey Antonov, Data Science Team Lead at Kaspersky, said attackers can dramatically reduce cracking time when users rely on familiar character combinations or predictable formatting.
He advised users to avoid simple word-based passwords with only minor modifications, such as adding a number or symbol at the end.
Instead, the company recommends using passwords with at least 16 random characters, including letters, numbers and symbols, while avoiding repeated patterns or reused credentials across multiple accounts.
Kaspersky also encouraged enabling two-factor authentication and using password managers to securely generate and store unique passwords.
The company recently added a password generation feature to its online password tool to help users create stronger credentials.
