To mark World Password Day, Kaspersky experts analyzed 231 million unique passwords from major leaks between 2023 and 2026, uncovering critical patterns that compromise security. The study reveals that 68% of modern passwords can be cracked within a single day, with many following predictable structures that make them vulnerable to brute force and AI-driven attacks.
Key Findings from Password Analysis
The research identified three major trends. First, 68% of passwords are weak enough to be cracked in under 24 hours. Second, the vast majority of compromised passwords either start or end with a digit, a common pattern that significantly reduces cracking time. Third, users frequently incorporate positive and trending words; for instance, the word "Skibidi" appeared 36 times more often in 2026 than in 2023, reflecting the rise of an internet trend.
Common Symbols and Number Patterns
Among leaked passwords containing a single symbol, the "@" sign is most prevalent, appearing in 10% of cases, followed by a dot (3%) and "!" in third place. Numbers also follow predictable patterns: 53% of passwords end with digits, 17% begin with digits, nearly 12% include a date sequence between 1950 and 2030, and 3% use keyboard sequences like "qwerty" or "ytrewq" alongside digital sequences like "1234".
Alexey Antonov, Data Science Team Lead at Kaspersky, explains that commonly used symbols, numbers, or dates placed at obvious positions simplify brute force attacks. He recommends using less popular characters and avoiding numeric or keyboard sequences. "Brute force works by trying every possible combination. When attackers know preferred characters, cracking time drops dramatically. Use dedicated generators to create random passwords," he advises.
Emotional and Trending Words in Passwords
The study found that emotional and trending words are frequently used as password bases. From 2023 to 2026, the word "Skibidi" surged 36 times in leaked passwords. Positive words like "love," "magic," "friend," "team," "angel," "star," and "eden" are more common than negative ones such as "hell," "devil," "nightmare," and "scar." However, any single-word password with a trailing number or symbol is weak.
Antonov recommends crafting passphrases with multiple unrelated words, each supplemented with internal numbers and symbols, plus intentional misspellings. He also urges enabling two-factor authentication (2FA) wherever possible.
Password Length and AI-Driven Cracking
Longer passwords are harder to crack, but length alone is insufficient against AI-powered tools. Short passwords up to eight characters are typically cracked in under a day. However, AI algorithms can break over 20% of 15-character passwords in less than a minute. Overall, 60.2% of all analyzed passwords can be cracked in about an hour, and 68.2% within a day.
These calculations assume a single RTX 5090 GPU and MD5 algorithm. In real-world scenarios, attackers can use multiple GPUs, increasing cracking speed by orders of magnitude. Truly secure passwords should be 16+ characters, consisting of random letters, numbers, and symbols, and unique for each account.
Kaspersky Password Generator and Manager
Kaspersky has added a password generation feature to its Password Generator website, allowing users to check for leaks and generate secure passwords for free. For easy management, Kaspersky Password Manager stores credentials in a secure vault, supports auto-fill and cross-device synchronization, and allows creation and storage of passkeys for one-tap sign-in across devices.
